clients
This commit is contained in:
parent
5785c5a712
commit
13ee1b5e91
|
|
@ -3,6 +3,8 @@ package org.gcube.service.idm.controller;
|
|||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.ws.rs.ForbiddenException;
|
||||
|
||||
import org.gcube.common.keycloak.model.ModelUtils;
|
||||
import org.gcube.common.security.Owner;
|
||||
import org.gcube.common.security.providers.SecretManagerProvider;
|
||||
|
|
@ -10,10 +12,17 @@ import org.gcube.common.security.secrets.Secret;
|
|||
|
||||
public class AuthController {
|
||||
public final static String IDM_SERVICE_READ = "idm-service-read";
|
||||
|
||||
// can admin current context
|
||||
public final static String IDM_SERVICE_ADMIN = "idm-service-admin";
|
||||
|
||||
public final static List<String> ACCESS_READ_ROLES = List.of(IDM_SERVICE_READ, IDM_SERVICE_ADMIN);
|
||||
public final static List<String> ACCESS_ADMIN_ROLES = List.of(IDM_SERVICE_READ);
|
||||
// can admin all realm, not only current context
|
||||
public final static String IDM_SERVICE_REALM = "idm-service-realm";
|
||||
|
||||
public final static List<String> ACCESS_READ_ROLES = List.of(IDM_SERVICE_READ, IDM_SERVICE_ADMIN,
|
||||
IDM_SERVICE_REALM);
|
||||
public final static List<String> ACCESS_ADMIN_ROLES = List.of(IDM_SERVICE_ADMIN, IDM_SERVICE_REALM);
|
||||
public final static List<String> ACCESS_ADMIN_REALM_ROLES = List.of(IDM_SERVICE_REALM);
|
||||
|
||||
public static String getAccessToken() {
|
||||
Map<String, String> authorizations = SecretManagerProvider.get().getHTTPAuthorizationHeaders();
|
||||
|
|
@ -76,4 +85,16 @@ public class AuthController {
|
|||
return !owner.isApplication() && owner.getId().equals(username);
|
||||
}
|
||||
|
||||
public static void checkIsRealmAdmin(String message) throws ForbiddenException {
|
||||
if (!checkAnyRole(ACCESS_ADMIN_ROLES)) {
|
||||
throw new ForbiddenException(message);
|
||||
}
|
||||
}
|
||||
|
||||
public static void checkIsContextmAdmin(String message) throws ForbiddenException {
|
||||
if (!checkAnyRole(ACCESS_ADMIN_REALM_ROLES)) {
|
||||
throw new ForbiddenException(message);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,12 +7,14 @@ import java.util.Set;
|
|||
|
||||
import org.gcube.service.idm.IdMManager;
|
||||
import org.gcube.service.idm.controller.AdminKeycloakController;
|
||||
import org.gcube.service.idm.controller.AuthController;
|
||||
import org.gcube.service.idm.controller.KCClientsController;
|
||||
import org.gcube.service.idm.controller.KCGroupsController;
|
||||
import org.gcube.service.idm.controller.KCRolesController;
|
||||
import org.gcube.service.idm.controller.KCUserController;
|
||||
import org.gcube.service.idm.keycloack.KkClientFactory;
|
||||
import org.gcube.service.idm.serializers.IdmObjectSerializator;
|
||||
import org.gcube.service.rest.ErrorMessages;
|
||||
import org.gcube.service.rest.ResponseBean;
|
||||
import org.gcube.service.rest.ResponseBeanMap;
|
||||
import org.gcube.smartgears.annotations.ManagedBy;
|
||||
|
|
@ -84,29 +86,38 @@ public class ClientsAPI {
|
|||
@QueryParam("client_id") String clientId) {
|
||||
ResponseBean responseBean = new ResponseBean();
|
||||
|
||||
RealmResource realmResource = KkClientFactory.getSingleton().getKKRealm();
|
||||
ClientResource clientResource = null;
|
||||
|
||||
// select the client by name, or current client if client_name parameter is
|
||||
// null;
|
||||
if (clientId == null) {
|
||||
clientResource = KkClientFactory.getSingleton().getKKClient();
|
||||
} else {
|
||||
|
||||
List<ClientRepresentation> clients = realmResource.clients().findByClientId(clientId);
|
||||
|
||||
if (clients.size() == 0) {
|
||||
throw new NotFoundException();
|
||||
}
|
||||
String id = clients.get(0).getId();
|
||||
|
||||
clientResource = realmResource.clients().get(id);
|
||||
if (clientId != null) {
|
||||
AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id");
|
||||
}
|
||||
|
||||
RolesResource roles_resource = clientResource.roles();
|
||||
RoleResource role_resource = roles_resource.get(role_name);
|
||||
// RealmResource realmResource = KkClientFactory.getSingleton().getKKRealm();
|
||||
// ClientResource clientResource = null;
|
||||
|
||||
// // select the client by name, or current client if client_name parameter is
|
||||
// // null;
|
||||
// if (clientId == null) {
|
||||
// clientResource = KkClientFactory.getSingleton().getKKClient();
|
||||
// } else {
|
||||
|
||||
// List<ClientRepresentation> clients =
|
||||
// realmResource.clients().findByClientId(clientId);
|
||||
|
||||
// if (clients.size() == 0) {
|
||||
// throw new NotFoundException();
|
||||
// }
|
||||
// String id = clients.get(0).getId();
|
||||
|
||||
// clientResource = realmResource.clients().get(id);
|
||||
// }
|
||||
|
||||
// RolesResource roles_resource = clientResource.roles();
|
||||
// RoleResource role_resource = roles_resource.get(role_name);
|
||||
// List<UserRepresentation> user_members =
|
||||
// role_resource.getUserMembers(firstResult, maxResults);
|
||||
|
||||
List<UserRepresentation> user_members = KCClientsController.getContextUsersByRole(clientId, role_name,
|
||||
firstResult, maxResults);
|
||||
|
||||
List<UserRepresentation> user_members = role_resource.getUserMembers(firstResult, maxResults);
|
||||
Object result = KCUserController.formatList(user_members, format_users);
|
||||
responseBean.setResult(result);
|
||||
|
||||
|
|
@ -159,7 +170,12 @@ public class ClientsAPI {
|
|||
@QueryParam("client_id") String clientId) {
|
||||
ResponseBean responseBean = new ResponseBean();
|
||||
|
||||
if (clientId != null) {
|
||||
AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id");
|
||||
}
|
||||
|
||||
List<UserRepresentation> user_members = KCClientsController.getMemberGroupUsers(clientId, firstResult,
|
||||
maxResults);
|
||||
Object result = KCUserController.formatList(user_members, format_users);
|
||||
responseBean.setResult(result);
|
||||
|
||||
|
|
@ -215,6 +231,12 @@ public class ClientsAPI {
|
|||
@QueryParam("client_id") String clientId) {
|
||||
ResponseBeanMap responseBean = new ResponseBeanMap();
|
||||
|
||||
if (clientId != null) {
|
||||
AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id");
|
||||
}
|
||||
|
||||
|
||||
|
||||
// String role_name = "Member";
|
||||
|
||||
boolean show_groups = !format_group.equals(KCGroupsController.REPR.none);
|
||||
|
|
|
|||
|
|
@ -1,7 +1,5 @@
|
|||
package org.gcube.service.idm.rest;
|
||||
|
||||
import java.rmi.ServerError;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
|
|
@ -179,12 +177,9 @@ public class RolesAPI {
|
|||
Set<GroupRepresentation> groups = r.getRoleGroupMembers(firstResult, maxResults);
|
||||
responseBean.putResult("roleGroupMembers", groups);
|
||||
|
||||
|
||||
List<UserRepresentation> users = r.getUserMembers();
|
||||
responseBean.putResult("users", users);
|
||||
|
||||
|
||||
|
||||
ObjectMapper objectMapper = IdmObjectSerializator.getSerializer();
|
||||
|
||||
String jsonData = objectMapper.writeValueAsString(responseBean);
|
||||
|
|
|
|||
|
|
@ -9,6 +9,10 @@ public class ErrorMessages {
|
|||
public static final String USER_NOT_AUTHORIZED_PRIVATE = "User is not authorized to access private data";
|
||||
public static final String CANNOT_RETRIEVE_PROFILE = "Unable to retrieve user profile";
|
||||
|
||||
public static final String RESERVED_PARAMETER = "The parameter can be used only by realm administrators: ";
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue