mirror of https://github.com/jacekkow/keycloak-protocol-cas
src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java
@@ -4,9 +4,11 @@ import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.representations.AccessToken; import org.keycloak.utils.RoleResolveUtil; import java.util.*; import java.util.function.Predicate; import java.util.stream.Collectors; public class UserClientRoleMappingMapper extends AbstractUserRoleMappingMapper { @@ -59,55 +61,31 @@ } @Override public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession) { public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession session, ClientSessionContext clientSessionCtx) { String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID); String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX); setAttribute(attributes, mappingModel, userSession, getClientRoleFilter(clientId, userSession), rolePrefix); } private static Predicate<RoleModel> getClientRoleFilter(String clientId, UserSessionModel userSession) { if (clientId == null) { return RoleModel::isClientRole; } RealmModel clientRealm = userSession.getRealm(); ClientModel client = clientRealm.getClientByClientId(clientId.trim()); if (client == null) { return RoleModel::isClientRole; } ClientTemplateModel template = client.getClientTemplate(); boolean useTemplateScope = template != null && client.useTemplateScope(); boolean fullScopeAllowed = (useTemplateScope && template.isFullScopeAllowed()) || client.isFullScopeAllowed(); Set<RoleModel> clientRoleMappings = client.getRoles(); if (fullScopeAllowed) { return clientRoleMappings::contains; } Set<RoleModel> scopeMappings = new HashSet<>(); if (useTemplateScope) { Set<RoleModel> templateScopeMappings = template.getScopeMappings(); if (templateScopeMappings != null) { scopeMappings.addAll(templateScopeMappings); if (clientId != null && !clientId.isEmpty()) { AccessToken.Access access = RoleResolveUtil.getResolvedClientRoles(session, clientSessionCtx, clientId, false); if (access == null) { return; } setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix); } else { // If clientId is not specified, we consider all clients Map<String, AccessToken.Access> allAccess = RoleResolveUtil.getAllResolvedClientRoles(session, clientSessionCtx); Set<String> allRoles = allAccess.values().stream().filter(Objects::nonNull) .flatMap(access -> access.getRoles().stream()) .collect(Collectors.toSet()); setAttribute(attributes, mappingModel, allRoles, rolePrefix); } Set<RoleModel> clientScopeMappings = client.getScopeMappings(); if (clientScopeMappings != null) { scopeMappings.addAll(clientScopeMappings); } return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role); } public static ProtocolMapperModel create(String clientId, String clientRolePrefix, String name, String tokenClaimName) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, "String", true, name, PROVIDER_ID); "String", PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix); return mapper;
