PS-591 add admin role per service

alchemy-fr · Dec 11, 2023 · 22bed63 · 22bed63
1 parent 4c3ed07
commit 22bed63
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php b/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php
@@ -20,6 +20,10 @@ public function configure(OutputInterface $output): void
     {
         $this->configureRealm();
 
+        foreach ($this->symfonyApplications as $app) {
+            $this->keycloakManager->createRole($app.'-admin', sprintf('Admin access for %s', ucwords($app)));
+        }
+
         foreach ([
                      KeycloakInterface::ROLE_ADMIN => 'Can do anything',
                      KeycloakInterface::ROLE_TECH => 'Access to Dev/Ops Operations',

diff --git a/lib/php/auth-bundle/Resources/config/services.yaml b/lib/php/auth-bundle/Resources/config/services.yaml
@@ -24,7 +24,8 @@ services:
   Alchemy\AuthBundle\Security\JwtValidator: ~
   Alchemy\AuthBundle\Security\JwtValidatorInterface: '@Alchemy\AuthBundle\Security\JwtValidator'
   Alchemy\AuthBundle\Security\OAuthAuthorizationAuthenticator: ~
-  Alchemy\AuthBundle\Security\RoleMapper: ~
+  Alchemy\AuthBundle\Security\RoleMapper:
+      $appName: '%alchemy_core.app_name%'
 
   Alchemy\AuthBundle\Controller\OAuthProxyController:
       public: true

diff --git a/lib/php/auth-bundle/Security/RoleMapper.php b/lib/php/auth-bundle/Security/RoleMapper.php
@@ -7,17 +7,22 @@
 final readonly class RoleMapper
 {
     public function __construct(
+        private string $appName,
         private array $mapping = [
             'admin' => 'ROLE_ADMIN',
-        ]
+        ],
     )
     {
     }
 
     public function getRoles(array $idpRoles): array
     {
-        return array_filter(array_map(function (string $role): ?string {
+        return array_values(array_unique(array_filter(array_map(function (string $role): ?string {
+            if ($role === sprintf('%s-admin', $this->appName)) {
+                return 'ROLE_ADMIN';
+            }
+
             return $this->mapping[$role] ?? null;
-        }, $idpRoles));
+        }, $idpRoles))));
     }
 }