From 5d6a17d2f54295974130074bb155e58683dfe919 Mon Sep 17 00:00:00 2001 From: "m.lettere" Date: Thu, 12 Jan 2023 17:33:38 +0100 Subject: [PATCH] multiple reinforced authorize for reducing expiration risks --- templates/group_created.json.j2 | 31 +++++++------------------------ 1 file changed, 7 insertions(+), 24 deletions(-) diff --git a/templates/group_created.json.j2 b/templates/group_created.json.j2 index 8cd8da9..9ab4993 100644 --- a/templates/group_created.json.j2 +++ b/templates/group_created.json.j2 @@ -409,30 +409,13 @@ } } }, - { - "name" : "pyrest", - "taskReferenceName" : "authorize3", - "type" : "SIMPLE", - "inputParameters" : { - "url" : "{{ keycloak }}/master/protocol/openid-connect/token", - "method" : "POST", - "headers" : { - "Accept" : "application/json" - }, - "body" : { - "client_id" : "orchestrator", - "client_secret" : "{{ keycloak_auth_master }}", - "grant_type" : "client_credentials" - } - } - }, { "name": "LAMBDA_TASK", "taskReferenceName": "build_add_role_tasks", "type": "LAMBDA", "inputParameters": { "roles" : "${get_rootvo_roles.output.body}", - "scriptExpression": "inputs={},tasks=[];function add(r, k){ if(r.name != 'uma_protection' && r.name != 'Member'){ tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_'+k}); inputs['create_'+k]={url:'${create_client.output.headers.location}/roles',body:{clientRole:true,name:r.name,description:r.description},method:'POST',headers:{Authorization:'Bearer ${authorize3.output.body.access_token}','Content-Type':'application/json'}}}};for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name, add(r, k);return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" + "scriptExpression": "inputs={},tasks=[];function add(r, k){ if(r.name != 'uma_protection' && r.name != 'Member'){ tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_'+k}); inputs['create_'+k]={url:'${create_client.output.headers.location}/roles',body:{clientRole:true,name:r.name,description:r.description},method:'POST',headers:{Authorization:'Bearer ${authorize2.output.body.access_token}','Content-Type':'application/json'}}}};for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name, add(r, k);return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" } }, { @@ -453,7 +436,7 @@ }, { "name" : "pyrest", - "taskReferenceName" : "authorize4", + "taskReferenceName" : "authorize3", "type" : "SIMPLE", "inputParameters" : { "url" : "{{ keycloak }}/master/protocol/openid-connect/token", @@ -474,7 +457,7 @@ "type": "LAMBDA", "inputParameters": { "roleurls" : "${join_parallel_role_addition.output[*]..location}", - "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],k='add-'+i,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+k}),inputs['get_back_'+k]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize4.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" + "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],k='add-'+i,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+k}),inputs['get_back_'+k]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize3.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" } }, { @@ -495,7 +478,7 @@ }, { "name" : "pyrest", - "taskReferenceName" : "authorize5", + "taskReferenceName" : "authorize4", "type" : "SIMPLE", "inputParameters" : { "url" : "{{ keycloak }}/master/protocol/openid-connect/token", @@ -516,7 +499,7 @@ "type": "LAMBDA", "inputParameters": { "roles" : "${join_parallel_getting_back.output[*].body}", - "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+k}),inputs['create_role_policy_'+k]={url:'${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role',body:{name:r.name+'_policy',description:'',type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:r.id,required:true}], 'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize5.output.body.access_token}', Accept: 'application/json', 'Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" + "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+k}),inputs['create_role_policy_'+k]={url:'${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role',body:{name:r.name+'_policy',description:'',type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:r.id,required:true}], 'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize4.output.body.access_token}', Accept: 'application/json', 'Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};" } }, { @@ -547,7 +530,7 @@ }, { "name" : "pyrest", - "taskReferenceName" : "authorize6", + "taskReferenceName" : "authorize5", "type" : "SIMPLE", "inputParameters" : { "url" : "{{ keycloak }}/master/protocol/openid-connect/token", @@ -578,7 +561,7 @@ }, "method" : "PUT", "headers" : { - "Authorization" : "Bearer ${authorize6.output.body.access_token}", + "Authorization" : "Bearer ${authorize5.output.body.access_token}", "Content-Type" : "application/json" } }