From 755fd78fa0ee0f2a67417a119382c63e02c1091e Mon Sep 17 00:00:00 2001
From: Alexandre Rocha Wendling <alexandrerw@celepar.pr.gov.br>
Date: Tue, 16 Jul 2024 14:15:23 +0000
Subject: [PATCH] Proxy ticket service and proxy ticket validation Proxy endpoints improvements suggested by Jacek Kowalski Add ticket type to storage key Rename isreuse to isReusable Remove "parsing" of "codeUUID" that is String, not UUID Improve error reporting in CAS ticket validation

---
 src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java |   65 +++++---------------------------
 1 files changed, 10 insertions(+), 55 deletions(-)

diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
index 39ae848..4408d7d 100644
--- a/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
+++ b/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
@@ -17,14 +17,11 @@
 
 package org.keycloak.protocol.cas.mappers;
 
-import org.keycloak.models.*;
-import org.keycloak.models.utils.RoleUtils;
+import org.keycloak.models.ProtocolMapperModel;
 
 import java.util.Map;
 import java.util.Set;
-import java.util.function.Predicate;
 import java.util.stream.Collectors;
-import java.util.stream.Stream;
 
 /**
  * Base class for mapping of user role mappings to an ID and Access Token claim.
@@ -34,64 +31,22 @@
 abstract class AbstractUserRoleMappingMapper extends AbstractCASProtocolMapper {
 
     /**
-     * Returns a stream with roles that come from:
-     * <ul>
-     * <li>Direct assignment of the role to the user</li>
-     * <li>Direct assignment of the role to any group of the user or any of its parent group</li>
-     * <li>Composite roles are expanded recursively, the composite role itself is also contained in the returned stream</li>
-     * </ul>
-     * @param user User to enumerate the roles for
-     */
-    public Stream<RoleModel> getAllUserRolesStream(UserModel user) {
-        return Stream.concat(
-          user.getRoleMappings().stream(),
-          user.getGroups().stream()
-            .flatMap(this::groupAndItsParentsStream)
-            .flatMap(g -> g.getRoleMappings().stream()))
-          .flatMap(RoleUtils::expandCompositeRolesStream);
-    }
-
-    /**
-     * Returns stream of the given group and its parents (recursively).
-     * @param group
-     * @return
-     */
-    private Stream<GroupModel> groupAndItsParentsStream(GroupModel group) {
-        Stream.Builder<GroupModel> sb = Stream.builder();
-        while (group != null) {
-            sb.add(group);
-            group = group.getParent();
-        }
-        return sb.build();
-    }
-
-    /**
      * Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups.
      * Then it recursively expands all composite roles, and restricts according to the given predicate {@code restriction}.
      * If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed),
      * the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into
      * a claim.
      */
-    protected void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession,
-                                       Predicate<RoleModel> restriction, String prefix) {
-        String rolePrefix = prefix == null ? "" : prefix;
-        UserModel user = userSession.getUser();
-
-        // get a set of all realm roles assigned to the user or its group
-        Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);
-
-        boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
-        if (! dontLimitScope) {
-            Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
-              .flatMap(cs -> cs.getClient().getScopeMappings().stream())
-              .collect(Collectors.toSet());
-
-            clientUserRoles = clientUserRoles.filter(clientRoles::contains);
+    protected void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, Set<String> rolesToAdd,
+                                  String prefix) {
+        Set<String> realmRoleNames;
+        if (prefix != null && !prefix.isEmpty()) {
+            realmRoleNames = rolesToAdd.stream()
+                    .map(roleName -> prefix + roleName)
+                    .collect(Collectors.toSet());
+        } else {
+            realmRoleNames = rolesToAdd;
         }
-
-        Set<String> realmRoleNames = clientUserRoles
-          .map(m -> rolePrefix + m.getName())
-          .collect(Collectors.toSet());
 
         setPlainAttribute(attributes, mappingModel, realmRoleNames);
     }

--
Gitblit v1.9.1