From 1888711fe9813be0c793b6966720d7e4a142e3c4 Mon Sep 17 00:00:00 2001 From: sgiannopoulos Date: Wed, 1 May 2024 14:57:49 +0300 Subject: [PATCH] tenant fixes --- .../AuthorizationProperties.java | 18 +++++++--- .../KeycloakResourcesConfiguration.java | 4 +-- .../service/keycloak/KeycloakServiceImpl.java | 36 +++++++++---------- .../service/tenant/TenantServiceImpl.java | 35 +++++++++--------- .../main/resources/config/authorization.yml | 1 + 5 files changed, 49 insertions(+), 45 deletions(-) diff --git a/backend/core/src/main/java/org/opencdmp/authorization/AuthorizationProperties.java b/backend/core/src/main/java/org/opencdmp/authorization/AuthorizationProperties.java index ef9670d7e..1e50fc423 100644 --- a/backend/core/src/main/java/org/opencdmp/authorization/AuthorizationProperties.java +++ b/backend/core/src/main/java/org/opencdmp/authorization/AuthorizationProperties.java @@ -3,16 +3,16 @@ package org.opencdmp.authorization; import org.springframework.boot.context.properties.ConfigurationProperties; -import java.util.HashSet; import java.util.List; @ConfigurationProperties(prefix = "authorization") public class AuthorizationProperties { private String globalAdminRole; + private String tenantAdminRole; public String getGlobalAdminRole() { - return globalAdminRole; + return this.globalAdminRole; } public void setGlobalAdminRole(String globalAdminRole) { @@ -21,7 +21,7 @@ public class AuthorizationProperties { private Boolean autoAssignGlobalAdminToNewTenants; public Boolean getAutoAssignGlobalAdminToNewTenants() { - return autoAssignGlobalAdminToNewTenants; + return this.autoAssignGlobalAdminToNewTenants; } public void setAutoAssignGlobalAdminToNewTenants(Boolean autoAssignGlobalAdminToNewTenants) { @@ -31,7 +31,7 @@ public class AuthorizationProperties { private List allowedTenantRoles; public List getAllowedTenantRoles() { - return allowedTenantRoles; + return this.allowedTenantRoles; } public void setAllowedTenantRoles(List allowedTenantRoles) { @@ -41,10 +41,18 @@ public class AuthorizationProperties { private List allowedGlobalRoles; public List getAllowedGlobalRoles() { - return allowedGlobalRoles; + return this.allowedGlobalRoles; } public void setAllowedGlobalRoles(List allowedGlobalRoles) { this.allowedGlobalRoles = allowedGlobalRoles; } + + public String getTenantAdminRole() { + return this.tenantAdminRole; + } + + public void setTenantAdminRole(String tenantAdminRole) { + this.tenantAdminRole = tenantAdminRole; + } } diff --git a/backend/core/src/main/java/org/opencdmp/service/keycloak/KeycloakResourcesConfiguration.java b/backend/core/src/main/java/org/opencdmp/service/keycloak/KeycloakResourcesConfiguration.java index b31676ff8..c18669e00 100644 --- a/backend/core/src/main/java/org/opencdmp/service/keycloak/KeycloakResourcesConfiguration.java +++ b/backend/core/src/main/java/org/opencdmp/service/keycloak/KeycloakResourcesConfiguration.java @@ -16,11 +16,11 @@ public class KeycloakResourcesConfiguration { } public KeycloakResourcesProperties getProperties() { - return properties; + return this.properties; } public String getTenantGroupName(String tenantCode) { - return properties.getTenantGroupsNamingStrategy() + return this.properties.getTenantGroupsNamingStrategy() .replace("{tenantCode}", tenantCode); } diff --git a/backend/core/src/main/java/org/opencdmp/service/keycloak/KeycloakServiceImpl.java b/backend/core/src/main/java/org/opencdmp/service/keycloak/KeycloakServiceImpl.java index 9fc03807e..e732c321c 100644 --- a/backend/core/src/main/java/org/opencdmp/service/keycloak/KeycloakServiceImpl.java +++ b/backend/core/src/main/java/org/opencdmp/service/keycloak/KeycloakServiceImpl.java @@ -1,20 +1,18 @@ package org.opencdmp.service.keycloak; -import org.opencdmp.convention.ConventionService; -import gr.cite.commons.web.keycloak.api.configuration.KeycloakClientConfiguration; -import gr.cite.tools.logging.LoggerService; import org.jetbrains.annotations.NotNull; import org.keycloak.representations.idm.GroupRepresentation; -import org.slf4j.LoggerFactory; +import org.opencdmp.convention.ConventionService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; -import java.util.*; +import java.util.HashMap; +import java.util.List; +import java.util.Map; @Service public class KeycloakServiceImpl implements KeycloakService { - private static final LoggerService logger = new LoggerService(LoggerFactory.getLogger(KeycloakServiceImpl.class)); private final MyKeycloakAdminRestApi api; private final KeycloakResourcesConfiguration configuration; private final ConventionService conventionService; @@ -28,26 +26,26 @@ public class KeycloakServiceImpl implements KeycloakService { @Override public void addUserToGroup(@NotNull String subjectId, String groupId) { - api.users().addUserToGroup(subjectId, groupId); + this.api.users().addUserToGroup(subjectId, groupId); } @Override public void removeUserFromGroup(@NotNull String subjectId, String groupId) { - api.users().removeUserFromGroup(subjectId, groupId); + this.api.users().removeUserFromGroup(subjectId, groupId); } @Override public void addUserToGlobalRoleGroup(String subjectId, String role) { if (this.configuration.getProperties().getAuthorities() == null) return; KeycloakAuthorityProperties properties = this.configuration.getProperties().getAuthorities().getOrDefault(role, null); - if (properties != null) addUserToGroup(subjectId, properties.getGroupId()); + if (properties != null) this.addUserToGroup(subjectId, properties.getGroupId()); } @Override public void removeUserGlobalRoleGroup(@NotNull String subjectId, String role) { if (this.configuration.getProperties().getAuthorities() == null) return; KeycloakAuthorityProperties properties = this.configuration.getProperties().getAuthorities().getOrDefault(role, null); - if (properties != null) removeUserFromGroup(subjectId, properties.getGroupId()); + if (properties != null) this.removeUserFromGroup(subjectId, properties.getGroupId()); } @Override @@ -55,33 +53,33 @@ public class KeycloakServiceImpl implements KeycloakService { if (this.configuration.getProperties().getAuthorities() == null) return; KeycloakTenantAuthorityProperties properties = this.configuration.getProperties().getTenantAuthorities().getOrDefault(tenantRole, null); if (properties == null) return; - GroupRepresentation group = api.groups().findGroupByPath(getTenantAuthorityParentPath(properties) + "/" + configuration.getTenantGroupName(tenantCode)); - if (group != null) addUserToGroup(subjectId, group.getId()); + GroupRepresentation group = this.api.groups().findGroupByPath(this.getTenantAuthorityParentPath(properties) + "/" + this.configuration.getTenantGroupName(tenantCode)); + if (group != null) this.addUserToGroup(subjectId, group.getId()); } @Override public void removeUserTenantRoleGroup(String subjectId, String tenantCode, String tenantRole) { KeycloakTenantAuthorityProperties properties = this.configuration.getProperties().getTenantAuthorities().getOrDefault(tenantRole, null); if (properties == null) return; - GroupRepresentation group = api.groups().findGroupByPath(getTenantAuthorityParentPath(properties) + "/" + configuration.getTenantGroupName(tenantCode)); - if (group != null) removeUserFromGroup(subjectId, group.getId()); + GroupRepresentation group = this.api.groups().findGroupByPath(this.getTenantAuthorityParentPath(properties) + "/" + this.configuration.getTenantGroupName(tenantCode)); + if (group != null) this.removeUserFromGroup(subjectId, group.getId()); } private String getTenantAuthorityParentPath(KeycloakTenantAuthorityProperties keycloakTenantAuthorityProperties) { - GroupRepresentation parent = api.groups().findGroupById(keycloakTenantAuthorityProperties.getParent()); + GroupRepresentation parent = this.api.groups().findGroupById(keycloakTenantAuthorityProperties.getParent()); return parent.getPath(); } @Override public void createTenantGroups(String tenantCode) { if (this.configuration.getProperties().getTenantAuthorities() == null) return; - for (Map.Entry entry :configuration.getProperties().getTenantAuthorities().entrySet()){ + for (Map.Entry entry : this.configuration.getProperties().getTenantAuthorities().entrySet()){ GroupRepresentation group = new GroupRepresentation(); - group.setName(configuration.getTenantGroupName(tenantCode)); + group.setName(this.configuration.getTenantGroupName(tenantCode)); HashMap> user_attributes = new HashMap<>(); - if (!this.conventionService.isNullOrEmpty(this.configuration.getProperties().getTenantRoleAttributeName())) user_attributes.put(this.configuration.getProperties().getTenantRoleAttributeName(), List.of(configuration.getTenantRoleAttributeValue(tenantCode, entry.getValue()))); + if (!this.conventionService.isNullOrEmpty(this.configuration.getProperties().getTenantRoleAttributeName())) user_attributes.put(this.configuration.getProperties().getTenantRoleAttributeName(), List.of(this.configuration.getTenantRoleAttributeValue(tenantCode, entry.getValue()))); group.setAttributes(user_attributes); - api.groups().addGroupWithParent(group, entry.getValue().getParent()); + this.api.groups().addGroupWithParent(group, entry.getValue().getParent()); } } } diff --git a/backend/core/src/main/java/org/opencdmp/service/tenant/TenantServiceImpl.java b/backend/core/src/main/java/org/opencdmp/service/tenant/TenantServiceImpl.java index 53dec6168..26fb42d1e 100644 --- a/backend/core/src/main/java/org/opencdmp/service/tenant/TenantServiceImpl.java +++ b/backend/core/src/main/java/org/opencdmp/service/tenant/TenantServiceImpl.java @@ -1,9 +1,20 @@ package org.opencdmp.service.tenant; +import gr.cite.commons.web.authz.service.AuthorizationService; +import gr.cite.tools.data.builder.BuilderFactory; +import gr.cite.tools.data.deleter.DeleterFactory; +import gr.cite.tools.data.query.QueryFactory; +import gr.cite.tools.exception.MyApplicationException; +import gr.cite.tools.exception.MyForbiddenException; +import gr.cite.tools.exception.MyNotFoundException; +import gr.cite.tools.exception.MyValidationException; +import gr.cite.tools.fieldset.BaseFieldSet; +import gr.cite.tools.fieldset.FieldSet; +import gr.cite.tools.logging.LoggerService; +import gr.cite.tools.logging.MapLogEntry; import org.opencdmp.authorization.AuthorizationFlags; import org.opencdmp.authorization.AuthorizationProperties; import org.opencdmp.authorization.Permission; -import org.opencdmp.commons.XmlHandlingService; import org.opencdmp.commons.enums.IsActive; import org.opencdmp.commons.scope.tenant.TenantScope; import org.opencdmp.convention.ConventionService; @@ -22,21 +33,7 @@ import org.opencdmp.model.deleter.TenantDeleter; import org.opencdmp.model.persist.TenantPersist; import org.opencdmp.query.UserCredentialQuery; import org.opencdmp.query.UserRoleQuery; -import org.opencdmp.service.encryption.EncryptionService; import org.opencdmp.service.keycloak.KeycloakService; -import gr.cite.commons.web.authz.service.AuthorizationService; -import gr.cite.tools.data.builder.BuilderFactory; -import gr.cite.tools.data.deleter.DeleterFactory; -import gr.cite.tools.data.query.QueryFactory; -import gr.cite.tools.exception.MyApplicationException; -import gr.cite.tools.exception.MyForbiddenException; -import gr.cite.tools.exception.MyNotFoundException; -import gr.cite.tools.exception.MyValidationException; -import gr.cite.tools.fieldset.BaseFieldSet; -import gr.cite.tools.fieldset.FieldSet; -import gr.cite.tools.logging.LoggerService; -import gr.cite.tools.logging.MapLogEntry; -import org.jetbrains.annotations.NotNull; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.MessageSource; @@ -114,7 +111,7 @@ public class TenantServiceImpl implements TenantService { if (isUpdate) { data = this.entityManager.find(TenantEntity.class, model.getId()); if (data == null) - throw new MyNotFoundException(messageSource.getMessage("General_ItemNotFound", new Object[]{model.getId(), Tenant.class.getSimpleName()}, LocaleContextHolder.getLocale())); + throw new MyNotFoundException(this.messageSource.getMessage("General_ItemNotFound", new Object[]{model.getId(), Tenant.class.getSimpleName()}, LocaleContextHolder.getLocale())); if (!this.conventionService.hashValue(data.getUpdatedAt()).equals(model.getHash())) throw new MyValidationException(this.errors.getHashConflict().getCode(), this.errors.getHashConflict().getMessage()); } else { @@ -147,7 +144,7 @@ public class TenantServiceImpl implements TenantService { return this.builderFactory.builder(TenantBuilder.class).authorize(AuthorizationFlags.OwnerOrDmpAssociatedOrPermission).build(BaseFieldSet.build(fields, Tenant._id), data); } - private void autoAssignGlobalAdminsToNewTenant(TenantEntity tenant){ + private void autoAssignGlobalAdminsToNewTenant(TenantEntity tenant) throws InvalidApplicationException { if (!this.authorizationProperties.getAutoAssignGlobalAdminToNewTenants()) return; List existingItems; List userCredentialEntities; @@ -167,10 +164,10 @@ public class TenantServiceImpl implements TenantService { UserRoleEntity item = new UserRoleEntity(); item.setId(UUID.randomUUID()); item.setUserId(userId); - item.setRole(this.authorizationProperties.getGlobalAdminRole()); + item.setRole(this.authorizationProperties.getTenantAdminRole()); item.setCreatedAt(Instant.now()); this.entityManager.persist(item); - this.keycloakService.addUserToGlobalRoleGroup(userCredential.getExternalId(), this.authorizationProperties.getGlobalAdminRole()); + this.keycloakService.addUserToTenantRoleGroup(userCredential.getExternalId(), this.tenantScope.getTenantCode(), this.authorizationProperties.getTenantAdminRole()); } } finally { this.tenantScope.removeTempTenant(this.entityManager.getEntityManager()); diff --git a/backend/web/src/main/resources/config/authorization.yml b/backend/web/src/main/resources/config/authorization.yml index acd4c2182..66baec614 100644 --- a/backend/web/src/main/resources/config/authorization.yml +++ b/backend/web/src/main/resources/config/authorization.yml @@ -1,5 +1,6 @@ authorization: globalAdminRole: Admin + tenantAdminRole: TenantAdmin autoAssignGlobalAdminToNewTenants: true allowedTenantRoles: - TenantAdmin