From 52c391744bf30823c16fe12e0a69aaff852c745d Mon Sep 17 00:00:00 2001
From: Mauro Mugnaini <themaxx76@gmail.com>
Date: Mon, 15 Feb 2021 15:54:05 +0100
Subject: [PATCH] Added helper functions to map groups to client's role and
 finalyzed JSON export importer also callable via Maven

---
 README.md                                     |  6 +++
 .../gcube/oidc/keycloak/KeycloakHelper.java   | 44 +++++++++----------
 .../d4science/ClientsCreatorFromExport.java   |  7 ++-
 .../oidc/keycloak/UglyKeycloakHelperTest.java | 14 +++---
 4 files changed, 39 insertions(+), 32 deletions(-)

diff --git a/README.md b/README.md
index d0a0c68..12ab4de 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,12 @@ To build the library JAR it is sufficient to type
 
     mvn clean package
 
+### Launch the json import to REALM
+
+In order to perform the import of an infrastructure JSON export file it's sufficient to type:
+
+    mvn exec:java -Dexec.args="[keycloak-auth-base-url] [keycloak-admin-user] [keycloak-admin-pass] [realm-name] [json-export-path] [[avatar-base-url] [[avatars-target-folder]]]"
+
 ## Change log
 
 See [Releases](https://code-repo.d4science.org/gCubeSystem/authorization-client/releases).
diff --git a/src/main/java/org/gcube/oidc/keycloak/KeycloakHelper.java b/src/main/java/org/gcube/oidc/keycloak/KeycloakHelper.java
index 4f5f401..182cd7f 100644
--- a/src/main/java/org/gcube/oidc/keycloak/KeycloakHelper.java
+++ b/src/main/java/org/gcube/oidc/keycloak/KeycloakHelper.java
@@ -19,6 +19,7 @@ import org.keycloak.TokenVerifier;
 import org.keycloak.admin.client.Keycloak;
 import org.keycloak.admin.client.KeycloakBuilder;
 import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.GroupResource;
 import org.keycloak.admin.client.resource.PolicyResource;
 import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.admin.client.resource.ResourceResource;
@@ -31,6 +32,7 @@ import org.keycloak.jose.jwk.JWK;
 import org.keycloak.jose.jwk.JWKParser;
 import org.keycloak.representations.JsonWebToken;
 import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.GroupRepresentation;
 import org.keycloak.representations.idm.RoleRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
@@ -83,7 +85,8 @@ public class KeycloakHelper {
                 .password(password).clientId(encodedClientId).resteasyClient(resteasyClient).build();
     }
 
-    public Keycloak newKeycloak(String realm, String clientId, String clientSecret) throws UnsupportedEncodingException {
+    public Keycloak newKeycloak(String realm, String clientId, String clientSecret)
+            throws UnsupportedEncodingException {
         String encodedClientId = URLEncoder.encode(clientId, "UTF-8");
         return KeycloakBuilder.builder().serverUrl(serverUrl).realm(realm).grantType(OAuth2Constants.CLIENT_CREDENTIALS)
                 .clientId(encodedClientId).clientSecret(clientSecret)
@@ -98,26 +101,6 @@ public class KeycloakHelper {
         return JWKParser.create(JWKSUtils.getKeyForUse(jsonWebKeySet, JWK.Use.SIG)).toPublicKey();
     }
 
-    //    Realm is too complex to configure it in depth with this helper. Please do it with the Web UI
-    //    public RealmResource addRealm(Keycloak keycloak, String realm, String displayName, String displayNameHtml,
-    //            boolean enabled) throws KeycloakResourceCreationException {
-    //        if (keycloak.realm(realm) != null) {
-    //            throw new KeycloakResourceCreationException("Realm already present on server: " + realm, null);
-    //        }
-    //        RealmRepresentation newRealmRepresentation = new RealmRepresentation();
-    //        newRealmRepresentation.setRealm(realm);
-    //        newRealmRepresentation.setId(realm);
-    //        newRealmRepresentation.setDisplayName(displayName);
-    //        newRealmRepresentation.setDisplayNameHtml(displayNameHtml);
-    //        newRealmRepresentation.setEnabled(enabled);
-    //        try {
-    //            keycloak.realms().create(newRealmRepresentation);
-    //            return keycloak.realms().realm(realm);
-    //        } catch (ClientErrorException e) {
-    //            throw new KeycloakResourceCreationException("While creating new realm: " + realm, null);
-    //        }
-    //    }
-
     public UserResource findUser(RealmResource realmResource, String username) {
         List<UserRepresentation> results = realmResource.users().search(username);
         return results.size() > 0 ? realmResource.users().get(results.get(0).getId()) : null;
@@ -169,7 +152,6 @@ public class KeycloakHelper {
         return realm.clients().get(realm.clients().findByClientId(encodedClientId).get(0).getId());
     }
 
-
     public ClientResource addPublicClient(RealmResource realm, String clientId, String name, String description,
             String rootUrl, String loginTheme) throws KeycloakResourceCreationException, UnsupportedEncodingException {
 
@@ -223,6 +205,24 @@ public class KeycloakHelper {
         }
     }
 
+    public GroupResource findGroupByPath(RealmResource realm, String groupPath) throws UnsupportedEncodingException {
+        GroupRepresentation group = realm.getGroupByPath(groupPath);
+        if (group != null) {
+            return realm.groups().group(group.getId());
+        } else {
+            return null;
+        }
+    }
+
+    public void mapGroupToCLientRole(GroupResource group, ClientResource client, String roleName) {
+        mapGroupToCLientRole(group, client, client.roles().get(roleName));
+    }
+
+    public void mapGroupToCLientRole(GroupResource group, ClientResource client, RoleResource role) {
+        group.roles().clientLevel(client.toRepresentation().getId())
+                .add(Collections.singletonList(role.toRepresentation()));
+    }
+
     public RoleResource addRole(ClientResource clientResource, boolean clientRole, String id, String name,
             String description, String containerId) {
 
diff --git a/src/main/java/org/gcube/oidc/keycloak/d4science/ClientsCreatorFromExport.java b/src/main/java/org/gcube/oidc/keycloak/d4science/ClientsCreatorFromExport.java
index fcfd19c..29741ad 100644
--- a/src/main/java/org/gcube/oidc/keycloak/d4science/ClientsCreatorFromExport.java
+++ b/src/main/java/org/gcube/oidc/keycloak/d4science/ClientsCreatorFromExport.java
@@ -95,6 +95,9 @@ public class ClientsCreatorFromExport {
             } else {
                 configureClientResource(client, roleMap, client.authorization().resources().resources().get(0));
             }
+            // Mapping group (from LDAP mapping) to relatives client's Member role
+            System.out.println("\tMapping '" + realmResource + "' LDAP group to client's 'Member' role");
+            kh.mapGroupToCLientRole(kh.findGroupByPath(realmResource, contextClient), client, roleMap.get(Role.MEMBER));
         }
     }
 
@@ -280,8 +283,8 @@ public class ClientsCreatorFromExport {
 
         Date start = new Date();
         System.out.println("Start at " + start);
-        System.out.println("Deleting clients...");
-        creator.deleteClients();
+//        System.out.println("Deleting clients...");
+//        creator.deleteClients();
         System.out.println("\n\n * * * Creating clients * * *");
         creator.createClients();
         System.out.println("\n\n * * * Mapping users to client's roles * * *");
diff --git a/src/test/java/org/gcube/oidc/keycloak/UglyKeycloakHelperTest.java b/src/test/java/org/gcube/oidc/keycloak/UglyKeycloakHelperTest.java
index b5b5ce2..d397c0c 100644
--- a/src/test/java/org/gcube/oidc/keycloak/UglyKeycloakHelperTest.java
+++ b/src/test/java/org/gcube/oidc/keycloak/UglyKeycloakHelperTest.java
@@ -11,10 +11,9 @@ import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
-import org.gcube.oidc.keycloak.KeycloakHelper;
-import org.gcube.oidc.keycloak.KeycloakResourceCreationException;
 import org.keycloak.admin.client.Keycloak;
 import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.GroupResource;
 import org.keycloak.admin.client.resource.PolicyResource;
 import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.admin.client.resource.ResourceResource;
@@ -93,12 +92,11 @@ public class UglyKeycloakHelperTest {
     }
 
     public static void main(String[] args) throws Exception {
-        KeycloakHelper kh = KeycloakHelper.getInstance("https://nubis2.int.d4science.net/auth");
-        Keycloak keycloak = kh.newKeycloakAdmin("admin", "4dm1n");
+        KeycloakHelper kh = KeycloakHelper.getInstance("https://accounts.dev.d4science.org/auth");
+        Keycloak keycloak = kh.newKeycloakAdmin("kadmin", "bb67fba2f32d3bd");
         RealmResource realmResource = keycloak.realm(realm);
-        for (int clientNum = 0; clientNum < 10; clientNum++) {
-            String clientName = clientPrefix + clientNum;
-            kh.removeClient(realmResource, clientName);
-        }
+        GroupResource groupResource = kh.findGroupByPath(realmResource, "gcube/devNext/NextNext");
+        ClientResource clientResource = kh.findClient(realmResource, "/gcube");
+        kh.mapGroupToCLientRole(groupResource, clientResource, "Member");
     }
 }