new: [keycloak] automatically set mappings

cli-modification-summary
iglocska 2022-10-31 13:26:12 +01:00
parent 3bf52c701f
commit 2a31e39762
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
3 changed files with 62 additions and 3 deletions

View File

@ -16,6 +16,7 @@ class UsersController extends AppController
public function index()
{
$this->Users->updateMappers();
$currentUser = $this->ACL->getUser();
$conditions = [];
if (empty($currentUser['role']['perm_admin'])) {

View File

@ -176,7 +176,7 @@ class AuthKeycloakBehavior extends Behavior
$users = [$user->toArray()];
$clientId = $this->getClientId();
$changes = $this->syncUser($users, $clientId);
$changes = $this->syncUsers($users, $clientId);
return $changes;
}
@ -231,6 +231,7 @@ class AuthKeycloakBehavior extends Behavior
public function syncWithKeycloak(): array
{
$this->updateMappers();
$results = [];
$data['Users'] = $this->_table->find()->contain(['Individuals', 'Organisations', 'Roles'])->select(
[
@ -316,7 +317,6 @@ class AuthKeycloakBehavior extends Behavior
'org_uuid' => $user['organisation']['uuid']
]
];
debug($change);
$response = $this->restApiRequest('%s/admin/realms/%s/users/' . $keycloakUser['id'], $change, 'put');
if (!$response->isOk()) {
$this->_table->auditLogs()->insert([
@ -351,7 +351,6 @@ class AuthKeycloakBehavior extends Behavior
'org_uuid' => $user['organisation']['uuid']
]
];
debug($newUser);
$response = $this->restApiRequest('%s/admin/realms/%s/users', $newUser, 'post');
if (!$response->isOk()) {
$this->_table->auditLogs()->insert([
@ -385,4 +384,55 @@ class AuthKeycloakBehavior extends Behavior
{
return str_replace('%', '%%', $input);
}
public function updateMappers(): bool
{
$clientId = $this->getClientId();
$response = $this->restApiRequest('%s/admin/realms/%s/clients/' . $clientId . '/protocol-mappers/models?protocolMapper=oidc-usermodel-attribute-mapper', [], 'get');
if ($response->isOk()) {
$mappers = json_decode($response->getStringBody(), true);
} else {
return false;
}
$enabledMappers = [];
$defaultMappers = [
'org_name' => 0,
'org_uuid' => 0,
'role_name' => 0,
'role_uuid' => 0
];
$mappersToEnable = explode(',', Configure::read('keycloak.user_meta_mapping'));
foreach ($mappers as $mapper) {
if ($mapper['protocolMapper'] !== 'oidc-usermodel-attribute-mapper') {
continue;
}
if (in_array($mapper['name'], array_keys($defaultMappers))) {
$defaultMappers[$mapper['name']] = 1;
continue;
}
$enabledMappers[$mapper['name']] = $mapper;
}
$payload = [];
foreach ($mappersToEnable as $mapperToEnable) {
$payload[] = [
'protocol' => 'openid-connect',
'name' => $mapperToEnable,
'protocolMapper' => 'oidc-usermodel-attribute-mapper',
'config' => [
'id.token.claim' => true,
'access.token.claim' => true,
'userinfo.token.claim' => true,
'user.attribute' => $mapperToEnable,
'claim.name' => $mapperToEnable
]
];
}
if (!empty($payload)) {
$response = $this->restApiRequest('%s/admin/realms/%s/clients/' . $clientId . '/protocol-mappers/add-models', $payload, 'post');
if (!$response->isOk()) {
return false;
}
}
return true;
}
}

View File

@ -284,6 +284,14 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
'description' => __('family_name mapped name in keycloak'),
'dependsOn' => 'keycloak.enabled'
],
'keycloak.user_meta_mapping' => [
'name' => 'User Meta-field attribute mapping',
'type' => 'string',
'severity' => 'info',
'default' => '',
'description' => __('List of user metafields to push to keycloak as attributes. When using multiple templates, the attribute names have to be unique. Expects a comma separated list.'),
'dependsOn' => 'keycloak.enabled'
]
]
]
],