I successfully implemented User storage SPI in keycloak. Now I am able to do authentication from external REST source. Now I want to get client roles from external source. I am receiving a user entity as follows:
{
"id": "78c8ee03-0bf8-422a-91ec-6241624c0683",
"username": "kaushikam",
.....
"roles": [
{
"id": 1,
"name": "heroes"
"client": "heroes-client"
}
]
}
In keycloak server, I have manually created a client with the name heroes-client and in that client I have added the client role heroes. Now I want to map the client role received from external source to the client role in the client named heroes-client.
I used the getClientRoleMappings in UserModel as follows:
override fun getClientRoleMappings(app: ClientModel?): MutableSet<RoleModel> {
logger.info { "Calling getClientRoleMappings" }
val userRoles = this.user?.roles?.filter { it.client == app?.name } ?: emptyList()
val clientRoles = mutableSetOf<RoleModel>()
userRoles.forEach {
if (app != null) {
clientRoles.add(app.getRole(it.name))
}
}
return clientRoles
}
But the above code is not being called. While getRoleMappings is called. Is there anyway to solve this issue.
You can get the whole source code of my work here
I solved the issue. I think there is currently no need of getClientRoleMappings method. My need can be achieved using the getRoleMappings method. I thought that method was only used for realm roles, but that's not the case. Below is the updated code for getRoleMappings:
override fun getRoleMappings(): MutableSet<RoleModel> {
val roles = addRealmRoles()
return addClientRoles(roles)
}
private fun addRealmRoles(): MutableSet<RoleModel> {
val roles = mutableSetOf<RoleModel>()
user?.roles?.forEach { roleDTO ->
if (realm != null) {
val realmRole = realm.getRole(roleDTO.name) ?: null
if (realmRole != null) {
roles.add(realmRole)
}
}
}
return roles
}
private fun addClientRoles(roles: MutableSet<RoleModel>): MutableSet<RoleModel> {
user?.roles?.forEach { roleDTO ->
realm?.clientsStream?.forEach { client ->
client.rolesStream.forEach { clientRole ->
if (client.clientId == roleDTO.client && clientRole.name == roleDTO.name) {
roles.add(clientRole)
}
}
}
}
return roles
}
I have also updated the repository. You can see whole source code there
Related
I'm using the papsign/Ktor-OpenAPI-Generator to generate Swagger API documentation for a Ktor application. I have a POST endpoint which contains headers in the request. Here is the entire code:
fun main(args: Array<String>): Unit =
io.ktor.server.netty.EngineMain.main(args)
#Suppress("unused")
fun Application.module() {
install(OpenAPIGen) {
info {
version = "1.0.0"
title = "Accelerated Earn"
description = "Accelerated earn service provides extra earn."
contact {
name = "John Doe"
email = "johndoe#gmail.com"
}
}
// describe the servers, add as many as you want
server("/") {
description = "This server"
}
replaceModule(DefaultSchemaNamer, object: SchemaNamer {
val regex = Regex("[A-Za-z0-9_.]+")
override fun get(type: KType): String {
return type.toString().replace(regex) { it.value.split(".").last() }.replace(Regex(">|<|, "), "_")
}
})
}
// Configuring jackson serialization
install(ContentNegotiation) {
jackson {
dateFormat = DateFormat.getDateTimeInstance()
}
}
// Configuring swagger routes
routing {
get("/openapi.json") {
call.respond(application.openAPIGen.api.serialize())
}
get("/") {
call.respondRedirect("/swagger-ui/index.html?url=/openapi.json", true)
}
}
demoFunction()
}
// Defining the DEMO tag
enum class Tags(override val description: String) : APITag {
DEMO("This is a demo endpoint")
}
// Request is of type DemoClass, response is Boolean
fun Application.demoFunction() {
apiRouting {
tag(Tags.DEMO) {
route("/demo") {
post<Unit, Boolean, DemoClass>(
status(HttpStatusCode.OK),
info(
"Demo endpoint",
"This is a demo API"
),
exampleResponse = true,
exampleRequest = DemoClass(name = "john doe", xyz = "some header")
) { _, request ->
respond(true)
}
}
}
}
}
#Request("Request")
data class DemoClass(
#HeaderParam("Sample header")
val xyz: String,
#PathParam("Name")
val name: String
)
In DemoClass, I have used #HeaderParam annotation to denote "xyz" property as a header, and used #PathParam annotation to denote "name" as a parameter of the request. I expected that "xyz" would be shown as a header in the documentation but it is being shown as a part of the request body, and nothing about headers is mentioned (as shown in the below figures)
Because of this, while making a request, I have to put the header inside the request body instead of passing it as a header in the request. Is it possible to fix this? How do I do it?
Found the error. The first parameter of post function is the class of header. Here is the updated code :-
fun Application.demoFunction() {
apiRouting {
tag(Tags.DEMO) {
route("/demo") {
post<Headers, Boolean, DemoClass>(
status(HttpStatusCode.OK),
info(
"Demo endpoint",
"This is a demo API"
),
exampleResponse = true,
exampleRequest = DemoClass(name = "john doe")
) { header, request ->
respond(true)
}
}
}
}
}
#Request("Request")
data class DemoClass(
#PathParam("Name")
val name: String
)
data class Headers(
#HeaderParam("Sample Header")
val xyz: String
)
I'm developing a workspace add-on with alternate runtime; I configured the add-on to work with spreadsheets and I need to retrieve the spreadsheet id when the user opens the add-on. For test purposes I created a cloud function that contains the business logic.
My deployment.json file is the following:
{
"oauthScopes": ["https://www.googleapis.com/auth/spreadsheets.currentonly", "https://www.googleapis.com/auth/drive.file"],
"addOns": {
"common": {
"name": "My Spreadsheet Add-on",
"logoUrl": "https://cdn.icon-icons.com/icons2/2070/PNG/512/penguin_icon_126624.png"
},
"sheets": {
"homepageTrigger": {
"runFunction": "cloudFunctionUrl"
}
}
}
}
However, the request I receive seems to be empty and without the id of the spreadsheet in which I am, while I was expecting to have the spreadsheet id as per documentation
Is there anything else I need to configure?
The relevant code is quite easy, I'm just printing the request:
exports.getSpreadsheetId = function addonsHomePage (req, res) { console.log('called', req.method); console.log('body', req.body); res.send(createAction()); };
the information showed in the log is:
sheets: {}
Thank you
UPDATE It's a known issue of the engineering team, here you can find the ticket
The information around Workspace Add-ons is pretty new and the documentation is pretty sparse.
In case anyone else comes across this issue ... I solved it in python using CloudRun by creating a button that checks for for the object then if there is no object it requests access to the sheet in question.
from flask import Flask
from flask import request
app = Flask(__name__)
#app.route('/', methods=['POST'])
def test_addon_homepage():
req_body = request.get_json()
sheet_info = req_body.get('sheets')
card = {
"action": {
"navigations": [
{
"pushCard": {
"sections": [
{
"widgets": [
{
"textParagraph": {
"text": f"Hello {sheet_info.get('title','Auth Needed')}!"
}
}
]
}
]
}
}
]
}
}
if not sheet_info:
card = create_file_auth_button(card)
return card
def create_file_auth_button(self, card):
card['action']['navigations'][0]['pushCard']['fixedFooter'] = {
'primaryButton': {
'text': 'Authorize file access',
'onClick': {
'action': {
'function': 'https://example-cloudrun.a.run.app/authorize_sheet'
}
}
}
}
return card
#app.route('/authorize_sheet', methods=['POST'])
def authorize_sheet():
payload = {
'renderActions': {
'hostAppAction': {
'editorAction': {
'requestFileScopeForActiveDocument': {}
}
}
}
}
return payload
I had lot of difficulties after upgrading signalR & .NET version.
Previously I had 1.XX version now I have 2.4.0 signal R version.
This question is directly connected with - https://github.com/SignalR/SignalR/issues/4339
But after upgrade signal R doesn't work.
Now the problem is client-side functions cannot call.
I just tried this: Signalr doesn't call client side functions
and fixed it according to the correct answer:
In your init prior to $.connection.hub.start call your _subscribe method.
Later I went through a bit deeper down on this issue, and added console.log below place in my signalr.js
connection.socket.onmessage = function (event) {
var data;
try {
console.log(event.data);
data = connection._parseResponse(event.data);
}
catch (error) {
transportLogic.handleParseFailure(connection, event.data, error, onFailed, event);
console.log("socket error" + event.data);
return;
}
if (data) {
transportLogic.processMessages(connection, data, onSuccess);
}
};
After every one joins meeting -> meeting start and ask for vote (this place we should call signalR)
From vote asking person side I see console log like this:
Normal user ( voting persons console log looks like this:
This is from Firefox - another user:
I think it already triggering - client hub event 'sendOnlineMeetingVoteRequest' on hub 'NotificationHub'.
It already hit server-side function too but the thing is it never hits this part of the code:
notificationHub.client.sendOnlineMeetingVoteRequest = function (token, meetingId, meetingVoteId) {
debugger;
if (token == '#Model.Organization' && '#Model.MeetingId' == meetingId) {
ShowMeetingOnlineMeetingVotePopup(meetingId, meetingVoteId);
}
};
I went through http://localhost:33852/signalr/hubs
/*!
* ASP.NET SignalR JavaScript Library v2.3.0-rtm
* http://signalr.net/
*
* Copyright (c) .NET Foundation. All rights reserved.
* Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
*
*/
/// <reference path="..\..\SignalR.Client.JS\Scripts\jquery-1.6.4.js" />
/// <reference path="jquery.signalR.js" />
(function ($, window, undefined) {
/// <param name="$" type="jQuery" />
"use strict";
if (typeof ($.signalR) !== "function") {
throw new Error("SignalR: SignalR is not loaded. Please ensure jquery.signalR-x.js is referenced before ~/signalr/js.");
}
var signalR = $.signalR;
function makeProxyCallback(hub, callback) {
return function () {
// Call the client hub method
callback.apply(hub, $.makeArray(arguments));
};
}
function registerHubProxies(instance, shouldSubscribe) {
var key, hub, memberKey, memberValue, subscriptionMethod;
for (key in instance) {
if (instance.hasOwnProperty(key)) {
hub = instance[key];
if (!(hub.hubName)) {
// Not a client hub
continue;
}
if (shouldSubscribe) {
// We want to subscribe to the hub events
subscriptionMethod = hub.on;
} else {
// We want to unsubscribe from the hub events
subscriptionMethod = hub.off;
}
// Loop through all members on the hub and find client hub functions to subscribe/unsubscribe
for (memberKey in hub.client) {
if (hub.client.hasOwnProperty(memberKey)) {
memberValue = hub.client[memberKey];
if (!$.isFunction(memberValue)) {
// Not a client hub function
continue;
}
// Use the actual user-provided callback as the "identity" value for the registration.
subscriptionMethod.call(hub, memberKey, makeProxyCallback(hub, memberValue), memberValue);
}
}
}
}
}
$.hubConnection.prototype.createHubProxies = function () {
var proxies = {};
this.starting(function () {
// Register the hub proxies as subscribed
// (instance, shouldSubscribe)
registerHubProxies(proxies, true);
this._registerSubscribedHubs();
}).disconnected(function () {
// Unsubscribe all hub proxies when we "disconnect". This is to ensure that we do not re-add functional call backs.
// (instance, shouldSubscribe)
registerHubProxies(proxies, false);
});
proxies['NotificationHub'] = this.createHubProxy('NotificationHub');
proxies['NotificationHub'].client = { };
proxies['NotificationHub'].server = {
sendMeetingStartMessage: function (token, meetingId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendMeetingStartMessage"], $.makeArray(arguments)));
},
sendMeetingStopMessage: function (token, meetingId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendMeetingStopMessage"], $.makeArray(arguments)));
},
sendMeetingTreeRefreshRequest: function (token, meetingId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendMeetingTreeRefreshRequest"], $.makeArray(arguments)));
},
sendMessage: function (token, meetingId, agendaGroupItemId, motionId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendMessage"], $.makeArray(arguments)));
},
sendOnlineMeetingVoteCloseRequest: function (token, meetingId, meetingVoteId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendOnlineMeetingVoteCloseRequest"], $.makeArray(arguments)));
},
sendOnlineMeetingVoteRequest: function (token, meetingId, meetingVoteId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendOnlineMeetingVoteRequest"], $.makeArray(arguments)));
},
sendOnlineVoteCloseRequest: function (token, meetingId, agendaGroupItemId, motionId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendOnlineVoteCloseRequest"], $.makeArray(arguments)));
},
sendOnlineVoteRequest: function (token, meetingId, agendaGroupItemId, motionId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendOnlineVoteRequest"], $.makeArray(arguments)));
},
sendOnlineVoteResult: function (token, meetingId, agendaGroupItemId, motionId, selectedVotingOptionId) {
return proxies['NotificationHub'].invoke.apply(proxies['NotificationHub'], $.merge(["sendOnlineVoteResult"], $.makeArray(arguments)));
}
};
return proxies;
};
signalR.hub = $.hubConnection("/signalr", { useDefaultPath: false });
$.extend(signalR, signalR.hub.createHubProxies());
}(window.jQuery, window));
So I didn't found any error on it too.
Still, I cannot figure it out why this is happening but I went through the sample project that uses signalR 2.0.3.0 version
I went to reference & just noted that this reference - Microsoft.AspNet.SignalR.Owin is not included in that sample project that I downloaded.
I did some investigation furthermore & find out this:
'The call is ambiguous between the following methods or properties'
This error will occur if a reference to Microsoft.AspNet.SignalR.Owin
is not removed. This package is deprecated; the reference must be
removed and the 1.x version of the SelfHost package must be
uninstalled.
(https://learn.microsoft.com/en-us/aspnet/signalr/overview/releases/upgrading-signalr-1x-projects-to-20)
Do I need to remove that?
In my web config, there is no code like this.
I just call this function purely from another place - about us page. only add relevant script and function.
from that place, it worked.
after that, I changed some scripts placing and fix this issue.
the main thing is I didn't get any error or anything. thing looks working all the time. but because of some script placement, it doesn't work.
Our grails application uses ldap authentication, without any problems, now I need to prevent access, to the entire application, if a user has no specific ldap role.
I can see the role and use it in my Config.groovy annotations or secure the actions in the controllers, but instead I need a scenario/way to just show a "Denied ..." message and logout. (POST Forbidden 403).
def filters = {
loginFilter(controller:'login', action:'ajaxSuccessSproutcore') {
before = {
switch(Environment.current.name) {
case { it == 'development' || it == 'hrm'}:
if (springSecurityService.isLoggedIn() && grails.plugin.springsecurity.SpringSecurityUtils.ifAnyGranted("ROLE_ADMIN, ROLE_SEA_HRM_LOGIN")){
} else {
if (springSecurityService.isLoggedIn()) {
render ([msg:''] as JSON)
session.invalidate()
return false
}
}
break
default:
if (springSecurityService.isLoggedIn() && grails.plugin.springsecurity.SpringSecurityUtils.ifAnyGranted("ROLE_ADMIN , ROLE_USER")){
} else {
if (springSecurityService.isLoggedIn()) {
render ([msg:''] as JSON)
session.invalidate()
return false
}
}
break
}
}
after = { Map model ->
}
afterView = { Exception e ->
}
}
}
In grails 3 you can set up an Interceptor to check every request and take the appropriate action. In your case you'd want to add a check in the before block.
Edit: As Jeff Brown notes in the comments, grails 2 used Filters rather than interceptors.
Edit: Something like this in your logout logic:
...
else {
if (springSecurityService.isLoggedIn()) {
session.invalidate()
redirect action:'youShallNotPass'
return false
}
}
Can some one just confirm that in order to add a user to a existing role the role needs to have public read & write access ?
as this seems to be the only way i can get it to work?
Code to create the Role (Working Fine)
let roleACL = PFACL()
roleACL.setPublicReadAccess(true)
//roleACL.setPublicWriteAccess(true)
let role = PFRole(name: "ClubName", acl:roleACL)
role.saveInBackground()
Code to add user to said Role (Works If write access set to public)
let QueryRole = PFRole.query()
QueryRole!.whereKey("name", equalTo: "ClubName")
QueryRole!.getFirstObjectInBackgroundWithBlock({ (roleObject: PFObject?, error: NSError?) -> Void in
if error == nil
{
let roleToAddUser = roleObject as! PFRole
roleToAddUser.users.addObject(user)
roleToAddUser.saveInBackground()
//print(roleObject)
}
else
{
print(error)
//print(roleObject)
}
})
the above code works but as i said only when the public write access to the role has been set true.
this is driving me crazy now
also IF the role is meant to have the public write access doesn't that make it vulnerable to someone changing the role?
if the role shouldn't have public write access then can someone point me in the right direction to get the above code working without setting the role with public write access.
the error i get if there is no public write access on the role is: object not found for update (Code: 101, Version: 1.8.1)
Why not perform all the work in cloud code instead, that will get you around the issue of read/write issue. Here is what I am doing.
Important to note: The code below would not work when the cloud code JDK was set to 'latest', I had to set it to JDK 1.5 and then redepled my cloud code.
Parse.Cloud.afterSave(Parse.User, function(request) {
Parse.Cloud.useMasterKey();
var user = request.object;
if (user.existed()) {
//console.log('object exits');
response.success();
// console.log('********return after save');
return;
}
// set ACL so that it is not public anymore
var acl = new Parse.ACL(user);
acl.setPublicReadAccess(false);
acl.setPublicWriteAccess(false);
user.setACL(acl);
user.save();
//add user to role
var query = new Parse.Query(Parse.Role);
query.equalTo("name", "signedmember");
query.first().then(function(object) {
if (object) {
object.relation("users").add(request.user);
object.save(null, {
success: function(saveObject) {
object.relation("users").add(request.user);
object.save(null, {
success: function(saveObject) {
// The object was saved successfully.
console.log('assigned user to role');
},
error: function(saveObject, error) {
// The save failed.
console.error("Failed creating role with error: " + error.code + ":"+ error.message);
}
});
},
});
}
});
});