From be6a71b283e47123a14ab728262cb6263229a9a4 Mon Sep 17 00:00:00 2001
From: "m.lettere" <marco.lettere@nubisware.com>
Date: Thu, 12 Jan 2023 17:29:36 +0100
Subject: [PATCH] multiple reinforced authorize for reducing expiration risks

---
 templates/group_created.json.j2 | 76 +++++++++++++++++++++++++++++++--
 1 file changed, 72 insertions(+), 4 deletions(-)

diff --git a/templates/group_created.json.j2 b/templates/group_created.json.j2
index 9d1f09f..8cd8da9 100644
--- a/templates/group_created.json.j2
+++ b/templates/group_created.json.j2
@@ -409,13 +409,30 @@
 			}
 		}
 	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize3",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
 	{
 		"name": "LAMBDA_TASK",
 		"taskReferenceName": "build_add_role_tasks",
 		"type": "LAMBDA",
 		"inputParameters": {
 		  "roles" : "${get_rootvo_roles.output.body}",
-		  "scriptExpression": "inputs={},tasks=[];function add(r, k){ if(r.name != 'uma_protection' && r.name != 'Member'){ tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_'+k}); inputs['create_'+k]={url:'${create_client.output.headers.location}/roles',body:{clientRole:true,name:r.name,description:r.description},method:'POST',headers:{Authorization:'Bearer ${authorize2.output.body.access_token}','Content-Type':'application/json'}}}};for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name, add(r, k);return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
+		  "scriptExpression": "inputs={},tasks=[];function add(r, k){ if(r.name != 'uma_protection' && r.name != 'Member'){ tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_'+k}); inputs['create_'+k]={url:'${create_client.output.headers.location}/roles',body:{clientRole:true,name:r.name,description:r.description},method:'POST',headers:{Authorization:'Bearer ${authorize3.output.body.access_token}','Content-Type':'application/json'}}}};for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name, add(r, k);return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
 		}
 	},
 	{
@@ -434,13 +451,30 @@
 	  "type" : "JOIN",
 	  "taskReferenceName" : "join_parallel_role_addition"
 	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize4",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
 	{
 		"name": "LAMBDA_TASK",
 		"taskReferenceName": "build_get_back_role_tasks",
 		"type": "LAMBDA",
 		"inputParameters": {
 		  "roleurls" : "${join_parallel_role_addition.output[*]..location}",
-		  "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],k='add-'+i,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+k}),inputs['get_back_'+k]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize2.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
+		  "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],k='add-'+i,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+k}),inputs['get_back_'+k]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize4.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
 		}
 	},
 	{
@@ -459,13 +493,30 @@
 	  "type" : "JOIN",
 	  "taskReferenceName" : "join_parallel_getting_back"
 	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize5",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
 	{
 		"name": "LAMBDA_TASK",
 		"taskReferenceName": "build_add_policy_tasks",
 		"type": "LAMBDA",
 		"inputParameters": {
 		  "roles" : "${join_parallel_getting_back.output[*].body}",
-		  "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+k}),inputs['create_role_policy_'+k]={url:'${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role',body:{name:r.name+'_policy',description:'',type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:r.id,required:true}], 'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize2.output.body.access_token}', Accept: 'application/json', 'Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
+		  "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+k}),inputs['create_role_policy_'+k]={url:'${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role',body:{name:r.name+'_policy',description:'',type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:r.id,required:true}], 'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize5.output.body.access_token}', Accept: 'application/json', 'Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
 		}
 	},
 	{
@@ -494,6 +545,23 @@
 			"scriptExpression": "return Java.to(Java.from($.otherpolicies).concat($.memberpolicy), 'java.lang.String[]')"
 		  }
 	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize6",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
 	{
 		"name" : "pyrest",
 		"taskReferenceName" : "finalize_permission",
@@ -510,7 +578,7 @@
 			},
 	  		"method" : "PUT",
 			"headers" : {
-			  "Authorization" : "Bearer ${authorize2.output.body.access_token}",
+			  "Authorization" : "Bearer ${authorize6.output.body.access_token}",
 			  "Content-Type" : "application/json"
 			}
   		}