private UserApi createUserApi(ServiceBrokerOptions options) { KeycloakFactory keycloakFactory = new KubeKeycloakFactory(client, options.getStandardAuthserviceConfigName(), options.getStandardAuthserviceCredentialsSecretName(), options.getStandardAuthserviceCertSecretName()); return new KeycloakUserApi(keycloakFactory, Clock.systemUTC()); }
log.info("Creating user {} in realm {}", user.getSpec().getUsername(), realmName); user.validate(); validateForCreation(user); withRealm(realmName, realm -> { if (userExists(user.getSpec().getUsername(), reps)) { List<String> usernames = reps.stream() .map(UserRepresentation::getUsername) UserRepresentation userRep = createUserRepresentation(user); setUserPassword(realm.users().get(userId), user.getSpec().getAuthentication()); break; case federated: setFederatedIdentity(realm.users().get(userId), user.getSpec().getAuthentication()); break; case serviceaccount: applyAuthorizationRules(realm, user, realm.users().get(userId));
@Override public Optional<User> getUserWithName(String realmName, String resourceName) throws Exception { log.info("Retrieving user {} in realm {}", resourceName, realmName); return withRealm(realmName, realm -> realm.users().list().stream() .filter(userRep -> { Map<String, List<String>> attributes = userRep.getAttributes(); return attributes != null && attributes.get("resourceName") != null && resourceName.equals(attributes.get("resourceName").get(0)); }) .findFirst() .map(userRep -> { List<GroupRepresentation> groupReps = realm.users().get(userRep.getId()).groups(); return buildUser(userRep, groupReps); })); }
private void applyAuthorizationRules(RealmResource realm, User user, UserResource userResource) { Set<String> desiredGroups = createDesiredGroupsSet(user.getSpec().getAuthorization()); List<GroupRepresentation> groups = realm.groups().groups(); Set<String> existingGroups = userResource.groups() .stream() .map(GroupRepresentation::getName) .collect(Collectors.toSet()); log.info("Changing for user {} from {} to {}", user.getMetadata().getName(), existingGroups, desiredGroups); // Remove membership of groups no longer specified Set<String> membershipsToRemove = new HashSet<>(existingGroups); membershipsToRemove.removeAll(desiredGroups); log.debug("Removing groups {} from user {}", membershipsToRemove, user.getMetadata().getName()); for (String group : membershipsToRemove) { getGroupId(groups, group).ifPresent(userResource::leaveGroup); } // Add membership of new groups Set<String> membershipsToAdd = new HashSet<>(desiredGroups); membershipsToAdd.removeAll(existingGroups); log.debug("Adding groups {} to user {}", membershipsToRemove, user.getMetadata().getName()); for (String group : membershipsToAdd) { String groupId = createGroupIfNotExists(realm, group); userResource.joinGroup(groupId); } }
private UserList queryUsers(final Predicate<RealmRepresentation> realmPredicate, final Predicate<UserRepresentation> userPredicate) { return withKeycloak(keycloak -> { List<RealmRepresentation> realmReps = keycloak.realms().findAll(); UserList userList = new UserList(); for (RealmRepresentation realmRep : realmReps) { if (realmPredicate.test(realmRep)) { String realm = realmRep.getRealm(); keycloak.realm(realm).users().list() .stream() .filter(userPredicate) .forEachOrdered(userRep -> { List<GroupRepresentation> groupReps = keycloak.realm(realm).users().get(userRep.getId()).groups(); userList.getItems().add(buildUser(userRep, groupReps)); }); } } return userList; }); }
@Override public boolean replaceUser(String realmName, User user) throws Exception { log.info("Replacing user {} in realm {}", user.getSpec().getUsername(), realmName); user.validate(); UserRepresentation userRep = getUser(realmName, user.getSpec().getUsername()).orElse(null); if (userRep == null) { return false; } if (user.getSpec().getAuthentication() != null) { String existingAuthType = userRep.getAttributes().get("authenticationType").get(0); if (!user.getSpec().getAuthentication().getType().name().equals(existingAuthType)) { throw new IllegalArgumentException("Changing authentication type of a user is not allowed (existing is " + existingAuthType + ")"); } } return withRealm(realmName, realm -> { if (user.getSpec().getAuthentication() != null) { switch (user.getSpec().getAuthentication().getType()) { case password: setUserPassword(realm.users().get(userRep.getId()), user.getSpec().getAuthentication()); break; case federated: setFederatedIdentity(realm.users().get(userRep.getId()), user.getSpec().getAuthentication()); break; } } applyAuthorizationRules(realm, user, realm.users().get(userRep.getId())); return true; }); }
String[] parts = groupRep.getName().split("_"); Operation operation = Operation.valueOf(parts[0]); String address = decodePart(parts[1]); operationsByAddress.computeIfAbsent(address, k -> new HashSet<>()) .add(operation);
UserApi userApi = new KeycloakUserApi(keycloakFactory, Clock.systemUTC());
options.getStandardAuthserviceCertSecretName()); Clock clock = Clock.systemUTC(); UserApi userApi = new KeycloakUserApi(keycloakFactory, clock, options.getUserApiTimeout());
options.getStandardAuthserviceCertSecretName()); Clock clock = Clock.systemUTC(); UserApi userApi = new KeycloakUserApi(keycloakFactory, clock, Duration.ZERO);