diff --git a/bin/install-local-s-forms.sh b/bin/install-local-s-forms.sh deleted file mode 100755 index e315c24a..00000000 --- a/bin/install-local-s-forms.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -PROJECT_DIR=$(realpath $(dirname "$0")/..) -SFORMS_DIR=$(realpath $PROJECT_DIR/../s-forms) - -SFORMS_VERSION=$(json -f $SFORMS_DIR/package.json "version") -SFORMS_NAME=$(json -f $SFORMS_DIR/package.json "name") -SFORMS_NAME_NOMALIZED=$(echo $SFORMS_NAME | tr -d '@' | tr '/' '-') - - -RM_PACKAGE_JSON_FILE_PATH=$PROJECT_DIR/src/main/webapp/package.json -SFORMS_DIST_FILE_PATH=$SFORMS_DIR/$SFORMS_NAME_NOMALIZED-$SFORMS_VERSION.tgz - - -echo "INFO: Using SForms located at $SFORMS_DIR" - -echo "INFO: Building $SFORMS_NAME:$SFORMS_VERSION ..." -cd $SFORMS_DIR -rm -rf dist -mkdir -p dist -npm run build:lib - - - -cd - -echo "INFO: Updating $RM_PACKAGE_JSON_FILE_PATH ..." -json -I -f $RM_PACKAGE_JSON_FILE_PATH -e 'this.dependencies["'$SFORMS_NAME'"]="'$SFORMS_DIST_FILE_PATH'"' - - - -cd $PROJECT_DIR -echo "INFO: Installing new dependency on $SFORMS_DIST_FILE_PATH ..." -rm -rf src/main/webapp/node_modules/$SFORMS_NAME -cd src/main/webapp -npm install - - -echo 'INFO: Done. Restart watchify of record-manager if needed !!!' diff --git a/db-server/Dockerfile b/db-server/Dockerfile new file mode 100644 index 00000000..4695e55c --- /dev/null +++ b/db-server/Dockerfile @@ -0,0 +1,18 @@ +FROM ontotext/graphdb:10.2.0 + +# Override parent entrypoint +ENTRYPOINT [] + +ENV GRAPHDB_HOME=/opt/graphdb/home +ENV GRAPHDB_INSTALL_DIR=/opt/graphdb/dist + +WORKDIR ${GRAPHDB_HOME} + +# Copy repository config +COPY repo-config /repo-config +COPY repo-init.sh ${GRAPHDB_INSTALL_DIR}/repo-init.sh + +EXPOSE 7200 + +CMD ${GRAPHDB_INSTALL_DIR}/repo-init.sh /repo-config ${GRAPHDB_HOME} & ${GRAPHDB_INSTALL_DIR}/bin/graphdb -Dgraphdb.home=${GRAPHDB_HOME} + diff --git a/db-server/repo-config/config-record-manager-formgen.ttl b/db-server/repo-config/config-record-manager-formgen.ttl new file mode 100644 index 00000000..3bdbdd0f --- /dev/null +++ b/db-server/repo-config/config-record-manager-formgen.ttl @@ -0,0 +1,33 @@ +@prefix rdfs: . +@prefix rep: . +@prefix sail: . +@prefix xsd: . +@prefix graphdb: . + +<#record-manager-formgen> a rep:Repository; + rep:repositoryID "record-manager-formgen"; + rep:repositoryImpl [ + rep:repositoryType "graphdb:SailRepository"; + [ + graphdb:base-URL "http://example.org/owlim#"; + graphdb:check-for-inconsistencies "false"; + graphdb:defaultNS ""; + graphdb:disable-sameAs "true"; + graphdb:enable-context-index "true"; + graphdb:enable-literal-index "true"; + graphdb:enablePredicateList "true"; + graphdb:entity-id-size "32"; + graphdb:entity-index-size "10000000"; + graphdb:imports ""; + graphdb:in-memory-literal-properties "true"; + graphdb:owlim-license ""; + graphdb:query-limit-results "0"; + graphdb:query-timeout "0"; + graphdb:read-only "false"; + graphdb:repository-type "file-repository"; + graphdb:storage-folder "storage"; + graphdb:throw-QueryEvaluationException-on-timeout "false"; + sail:sailType "graphdb:Sail" + ] + ]; + rdfs:label "Record Manager Form generator Repository" . diff --git a/db-server/repo-config/config-record-manager.ttl b/db-server/repo-config/config-record-manager.ttl new file mode 100644 index 00000000..01197c1e --- /dev/null +++ b/db-server/repo-config/config-record-manager.ttl @@ -0,0 +1,33 @@ +@prefix rdfs: . +@prefix rep: . +@prefix sail: . +@prefix xsd: . +@prefix graphdb: . + +<#record-manager-app> a rep:Repository; + rep:repositoryID "record-manager-app"; + rep:repositoryImpl [ + rep:repositoryType "graphdb:SailRepository"; + [ + graphdb:base-URL "http://example.org/owlim#"; + graphdb:check-for-inconsistencies "false"; + graphdb:defaultNS ""; + graphdb:disable-sameAs "true"; + graphdb:enable-context-index "true"; + graphdb:enable-literal-index "true"; + graphdb:enablePredicateList "true"; + graphdb:entity-id-size "32"; + graphdb:entity-index-size "10000000"; + graphdb:imports ""; + graphdb:in-memory-literal-properties "true"; + graphdb:owlim-license ""; + graphdb:query-limit-results "0"; + graphdb:query-timeout "0"; + graphdb:read-only "false"; + graphdb:repository-type "file-repository"; + graphdb:storage-folder "storage"; + graphdb:throw-QueryEvaluationException-on-timeout "false"; + sail:sailType "graphdb:Sail" + ] + ]; + rdfs:label "Record Manager Repository" . diff --git a/db-server/repo-init.sh b/db-server/repo-init.sh new file mode 100755 index 00000000..75de6407 --- /dev/null +++ b/db-server/repo-init.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# +# Initializes Record Manager GraphDB repositories if they do not already exist +# + +SOURCE_DIR=$1 +GRAPHDB_HOME=$2 +REPOSITORIES=("record-manager-app" "record-manager-formgen") +SHOULD_WAIT=true + +echo "Running repository initializer..." + +for REPO_NAME in ${REPOSITORIES[@]} +do + echo "Checking existence of repository '${REPO_NAME}'" + if [ ! -d ${GRAPHDB_HOME}/data/repositories/${REPO_NAME} ] || [ -z "$(ls -A ${GRAPHDB_HOME})/data/repositories/${REPO_NAME}" ]; + then + if [ "${SHOULD_WAIT}" = "true" ]; + then + # Wait for GraphDB to start up + echo "Waiting for GraphDB to start up..." + sleep 15s + SHOULD_WAIT=false + fi + + # Create repository based on configuration + echo "Creating repository '${REPO_NAME}'..." + curl -X POST --header "Content-Type: multipart/form-data" -F "config=@${SOURCE_DIR}/config-${REPO_NAME}.ttl" "http://localhost:7200/rest/repositories" + echo "Repository '${REPO_NAME}' successfully initialized." + else + echo "Repository '${REPO_NAME}' already exists. Skipping initialization..." + fi +done diff --git a/doc/development.md b/doc/development.md index 026ff109..2978b851 100644 --- a/doc/development.md +++ b/doc/development.md @@ -1,4 +1,4 @@ -Development Notes +# Development Notes Frontend of the application is developed separately. diff --git a/doc/setup.md b/doc/setup.md index 30de586b..40d32b4b 100644 --- a/doc/setup.md +++ b/doc/setup.md @@ -65,4 +65,28 @@ default role mapping in Keycloak. Record Manager will assign `ROLE_USER` to auth must be available in the token. Note also that it is expected that user metadata corresponding to the user extracted from the access token exist in the -repository. They are paired via the `prefferred_username` claim value (see `SecurityUtils`). +repository. They are paired via the `preferred_username` claim value (see `SecurityUtils`). + +## Docker Compose Deployment + +This repo contains an example Docker Compose configuration that can be used to quickly spin up Record Manager with its frontend, +a GraphDB repository, S-pipes form generator and Keycloak as the authentication service. The configuration uses the Record Manager +code from this repository. Published frontend image is used. + +The deployment is pretty much self-contained, it sets up the corresponding repositories, imports a realm where clients +are configured for both the Record Manager backend and frontend. All the services (except PostgreSQL used by Keycloak) +in the deployment export their ports to the host system, so ensure the following ports are available on your system: +3000, 8080, 8081, 8088. + +To run the deployment for the first time, follow these steps: + +1. Create the `.env` file and set the following variables in it: `KC_ADMIN_USER`, `KC_ADMIN_PASSWORD`. +2. Run `docker compose up -d db-server` first. It uses a script that creates GraphDB repositories needed by the system. +3. Wait approximately 20s (check the log and wait for GraphDB to be fully up). +4. Start the rest of the system by running `docker compose up -d --build` (`--build` is used because Record Manager backend needs to be build) +5. Go to [http://localhost:8088](http://localhost:8088), login to the Keycloak admin console using `KC_ADMIN_USER` and `KC_ADMIN_PASSWORD`. +6. Select realm `record-manager`. +7. Add user accounts as necessary. Do not forget to assign them one of `ROLE_ADMIN` or `ROLE_USER` roles. +8. Go to [http://localhost:3000](http://localhost:3000) and log in using one of the created user accounts. + +When running the deployment next time, just execute `docker compose up -d --build` and go to [http://localhost:3000](http://localhost:3000). diff --git a/docker-compose.yml b/docker-compose.yml index c84df613..c7b655ee 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,53 +1,102 @@ version: '3.9' services: - dm-record-manager: - image: 'ofn-record-manager:latest' - container_name: dm-record-manager + record-manager: + image: 'ghcr.io/kbss-cvut/kbss-cvut/record-manager-ui:latest' ports: - - '4000:80' + - "127.0.0.1:3000:80" depends_on: - - dm-record-manager-server + - record-manager-server environment: - API_URL: "http://localhost:3000/ofn-record-manager" + APP_TITLE: "Record Manager" + BASENAME: "./" + LANGUAGE: "cs" + NAVIGATOR_LANGUAGE: "true" + API_URL: "http://localhost:8080/record-manager-server" + APP_INFO: "© KBSS CVUT v Praze, 2023" + AUTHENTICATION: "oidc" + AUTH_SERVER_URL: "http://localhost:8088/realms/record-manager" + AUTH_CLIENT_ID: "record-manager-ui" + FORCE_BASENAME: "true" - dm-record-manager-server: + record-manager-server: build: . image: record-manager-server - container_name: dm-record-manager-server + container_name: record-manager-server ports: - - '3000:8080' + - "127.0.0.1:8080:8080" depends_on: - - dm-s-pipes-engine - - dm-rdf4j + - s-pipes-engine + - db-server + - auth-server environment: - repositoryUrl: "http://dm-rdf4j:8080/rdf4j-server/repositories/ofn-form-manager-app" - formGenRepositoryUrl: "http://dm-rdf4j:8080/rdf4j-server/repositories/ofn-form-manager-formgen" - formGenServiceUrl: "http://dm-s-pipes-engine:8080/s-pipes/service?_pId=clone&sgovRepositoryUrl=https%3A%2F%2Fgraphdb.onto.fel.cvut.cz%2Frepositories%2Fkodi-slovnik-gov-cz" + REPOSITORYURL: "http://db-server:7200/repositories/record-manager-app" + FORMGENREPOSITORYURL: "http://db-server:7200/repositories/record-manager-formgen" + FORMGENSERVICEURL: "http://s-pipes-engine:8080/s-pipes/service?_pId=clone&sgovRepositoryUrl=https%3A%2F%2Fgraphdb.onto.fel.cvut.cz%2Frepositories%2Fkodi-slovnik-gov-cz" + SECURITY_PROVIDER: "oidc" + SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUERURI: "http://localhost:8088/realms/record-manager" + SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWKSETURI: "http://auth-server:8080/realms/record-manager/protocol/openid-connect/certs" - dm-s-pipes-engine: - image: 's-pipes-engine:latest' - container_name: dm-s-pipes-engine + s-pipes-engine: + image: "ghcr.io/kbss-cvut/s-pipes/s-pipes-engine:latest" ports: - - "8081:8080" + - "127.0.0.1:8081:8080" depends_on: - - dm-rdf4j + - db-server + db-server: + build: + context: db-server environment: - - CONTEXTS_SCRIPTPATHS=/scripts - volumes: - - ./scripts:/scripts - - dm-rdf4j: - image: 'eclipse/rdf4j-workbench:4.3.7' - container_name: dm-rdf4j + GDB_JAVA_OPTS: "-Ddefault.min.distinct.threshold=67108864" ports: - - "8080:8080" + - "127.0.0.1:7200:7200" + volumes: + - data:/opt/graphdb/home + auth-server-db: + image: postgres:13 environment: - - JAVA_OPTS=-Xms1g -Xmx4g + POSTGRES_DB: keycloak + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: keycloak volumes: - - data:/var/rdf4j - - logs:/usr/local/tomcat/logs + - auth-server-db:/var/lib/postgresql/data + auth-server: + image: "ghcr.io/kbss-cvut/keycloak-graphdb-user-replicator/keycloak-graphdb:latest" + command: + - start --import-realm + environment: + KC_IMPORT: realm-export.json + KC_HOSTNAME_URL: "http://localhost:8088" + KC_HOSTNAME_ADMIN_URL: "http://localhost:8088" + KC_HOSTNAME_STRICT_BACKCHANNEL: false + KC_HTTP_ENABLED: true + KEYCLOAK_ADMIN: ${KC_ADMIN_USER} + KEYCLOAK_ADMIN_PASSWORD: ${KC_ADMIN_PASSWORD} + DB_VENDOR: POSTGRES + DB_ADDR: auth-server-db + DB_DATABASE: keycloak + DB_USER: keycloak + DB_PASSWORD: keycloak + DB_SCHEMA: "public" + DB_SERVER_URL: "http://db-server:7200" + DB_SERVER_REPOSITORY_ID: "record-manager" + REPOSITORY_LANGUAGE: "en" + VOCABULARY_USER_TYPE: "http://onto.fel.cvut.cz/ontologies/record-manager/user" + VOCABULARY_USER_FIRST_NAME: "http://xmlns.com/foaf/0.1/firstName" + VOCABULARY_USER_LAST_NAME: "http://xmlns.com/foaf/0.1/lastName" + VOCABULARY_USER_USERNAME: "http://xmlns.com/foaf/0.1/accountName" + VOCABULARY_USER_EMAIL: "http://xmlns.com/foaf/0.1/mbox" + ADD_ACCOUNTS: false + REALM_ID: "record-manager" + ports: + - "127.0.0.1:8088:8080" + volumes: + - auth-server:/opt/keycloak/data + - ./keycloak:/opt/keycloak/data/import + depends_on: + - auth-server-db volumes: data: - logs: \ No newline at end of file + auth-server: + auth-server-db: diff --git a/keycloak/realm-export.json b/keycloak/realm-export.json new file mode 100644 index 00000000..5c1ec675 --- /dev/null +++ b/keycloak/realm-export.json @@ -0,0 +1,2306 @@ +{ + "id": "7647bef1-9609-47ff-9547-1071b1d6379b", + "realm": "record-manager", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "81369ed1-fee1-4e73-84f0-01256f1c30c0", + "name": "ROLE_USER", + "description": "Record Manager regular user role", + "composite": false, + "clientRole": false, + "containerId": "7647bef1-9609-47ff-9547-1071b1d6379b", + "attributes": {} + }, + { + "id": "cc5f90ec-d5eb-4316-9a16-bd8759e6f003", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "7647bef1-9609-47ff-9547-1071b1d6379b", + "attributes": {} + }, + { + "id": "7f5829b8-891b-4c75-b0bf-1d18139ef764", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "7647bef1-9609-47ff-9547-1071b1d6379b", + "attributes": {} + }, + { + "id": "e0414c82-95f8-4ab8-90e6-79592bd5eb31", + "name": "ROLE_ADMIN", + "description": "Record Manager admin role", + "composite": false, + "clientRole": false, + "containerId": "7647bef1-9609-47ff-9547-1071b1d6379b", + "attributes": {} + }, + { + "id": "625020fc-3b89-4108-8c64-f1abc2ab3d33", + "name": "default-roles-record-manager", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + "clientRole": false, + "containerId": "7647bef1-9609-47ff-9547-1071b1d6379b", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "2f1a2f4f-243d-42cf-967d-627dd768501e", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "cd032277-fcee-4f25-8210-3ce1048fd77e", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "834ae891-9db1-4c4e-99ea-9ae53a544bfc", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "f0f0241c-bbcd-44d4-964c-2643af4f26d0", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "879729a3-4e0b-41dd-85ad-a12e736cf05b", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "1389459d-e926-4500-9134-3a950ba65a81", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "621fb44a-d34a-4085-9573-6d3b1afea63d", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "61726d12-e5bf-466e-a0c7-0017735f2962", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "f6790893-4c8d-4ffe-9617-9906746f889a", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "create-client", + "manage-users", + "query-clients", + "query-groups", + "manage-realm", + "view-events", + "impersonation", + "manage-events", + "view-realm", + "manage-identity-providers", + "query-users", + "view-users", + "query-realms", + "view-authorization", + "manage-authorization", + "view-identity-providers", + "manage-clients", + "view-clients" + ] + } + }, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "69b1c1c5-b652-478f-b0af-35e8e484d313", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "8ee3820e-ddd4-4986-829a-c65057423504", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "401017ea-8d15-486e-8c9d-4e2a75e6b122", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "a125da3d-4748-4edb-b5df-d277f09e06d2", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "d6c5082c-8e89-433e-9882-5e8b08adc325", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "ed1920fa-64cc-4424-8274-6b6e6e57f254", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "6bb62c6d-b439-4c45-a3fc-3e04de081063", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "ba797aaa-5988-4a2a-adae-018583c62a14", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "56569251-8c6e-4062-9429-addf4cc5aad7", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + }, + { + "id": "d81e5dc3-f708-452c-8773-b16901383e84", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "b3c81a99-b0b7-4c95-87d7-3e1c96288510", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "d104f818-edcf-4a57-89b7-fd5706fa6a30", + "attributes": {} + } + ], + "account": [ + { + "id": "543d83df-0143-4c19-85b2-f72a4a0d7262", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "attributes": {} + }, + { + "id": "e0df0909-22b9-49db-a6b8-3ba073288adb", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "attributes": {} + }, + { + "id": "97c45565-4213-471f-bae7-e1023681beef", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "attributes": {} + }, + { + "id": "c222e908-915e-49e5-8086-a34452b63be2", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "attributes": {} + }, + { + "id": "fa9b927b-c9a9-4d0a-9654-4cd06193004c", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "attributes": {} + }, + { + "id": "44952935-57f3-4e5c-bc85-469be7d04ec0", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "attributes": {} + }, + { + "id": "bbc739bc-c147-4d91-be94-6da5ddca9fdc", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "attributes": {} + }, + { + "id": "530b69a1-266f-4de9-9739-7e4022494766", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "attributes": {} + } + ], + "record-manager": [], + "record-manager-ui": [] + } + }, + "groups": [], + "defaultRole": { + "id": "625020fc-3b89-4108-8c64-f1abc2ab3d33", + "name": "default-roles-record-manager", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "7647bef1-9609-47ff-9547-1071b1d6379b" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppMicrosoftAuthenticatorName", + "totpAppGoogleName" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "bded4a6e-b39c-4e57-9921-e9c8de547bfe", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/record-manager/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/record-manager/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "2a5379d5-735e-4a49-92db-826d82f95f22", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/record-manager/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/record-manager/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "c0291885-df06-4f03-8724-b1daad33e8bb", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "84973a1b-f155-44a6-852f-1e346ce0c75b", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "d104f818-edcf-4a57-89b7-fd5706fa6a30", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "f3d0cdb7-e994-44a7-9f3d-8a2f9d26c3e0", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "34eebec0-1e19-4eab-af04-8729a1de47f4", + "clientId": "record-manager", + "name": "Record Manager", + "description": "Record Manager backend", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1699515939", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "d6e815c8-6fd6-4ef6-acf7-2c099b5010fc", + "clientId": "record-manager-ui", + "name": "Record Manager UI", + "description": "Record Manager frontend", + "rootUrl": "http://localhost:3000", + "adminUrl": "http://localhost:3000", + "baseUrl": "http://localhost:3000", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "http://localhost:3000/*" + ], + "webOrigins": [ + "http://localhost:3000" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "ef60d6bd-1c86-4aef-8acb-9311f581b186", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/record-manager/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/record-manager/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "21a078aa-f874-49f1-941b-ab63dae588db", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "dbba5b36-b2ae-4e3b-9e15-6d7a0bf7740e", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "c92decaf-7a2e-48ba-a942-69bcd528878b", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "59bea668-f072-47c0-ac11-8e4606e5a8b8", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "aca8fc33-ec29-463a-b80b-0671c89f922d", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "c8b5afd8-10c6-4022-902a-35de9f3c2dfa", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "34fb7aeb-1afa-4342-b9e5-e24ef0f80b61", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "c98b2c20-571b-4e81-a014-591cb8f6ad0f", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "8cec6255-ad98-4371-ae19-dbb372e02f1f", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "4f72e822-0eb8-4b82-985f-aa4ceba3f75a", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "da7809e3-6a92-40f7-aa46-0a0d7b0bffe3", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "34a0421d-db95-495e-89b3-cb339adbb70b", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "4fd279ce-5c44-41e1-a687-1b5cdda7f934", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "b3f8aa0a-2211-448a-8970-cc0c92617e4b", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "042d3b84-6031-4bae-b91f-a317d7b7d73f", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "32a77622-1976-4d36-b3a5-3f6868796097", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "e5827582-d15c-4627-a48c-d4d51fd7e08a", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "0ff99981-c845-40f7-80d8-7568ad10ec93", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "d3b3496f-9c1c-4f52-83dd-eef5b12bfc76", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "ed06e339-2c4e-4ad2-ae0a-9178bbb81597", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "809b3da7-979c-453f-8631-31b5ef3b249e", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "1772111c-0d02-4c95-a1b1-7ec6dbd3aada", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "ff815811-8b75-469d-88ef-f5ff9258a0bf", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "514467e0-cf08-4a1a-a795-6c37f2a2d2c7", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "49bed86e-7929-445d-b6ea-2cac60eef02a", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "cf87e45b-ead1-4d1f-8d2c-ce7950c2d64e", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "8aeb74d4-3b41-4d53-b2ac-7ecb84d5b2d8", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "a7e169e5-b376-4283-929e-13c262319926", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "91826db7-be5d-448b-ab74-2383903def6b", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "9fbaefa4-f64f-46ef-a8fb-bfdf02498555", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "4dc4a641-7401-47d9-a061-bd9fc99d3a43", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "41edb893-6eb9-4c7d-acb3-ec74fac8c1c8", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "4cd85308-d0be-46d2-a4f1-ecbb4668d1a6", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "76cd4363-4271-4f49-b0cc-f4d15ece5d55", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "dae72583-5ce5-4fe3-a7d9-28efcfb59403", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "00b2d5ad-6c79-4451-aeff-306da1996f7b", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "940bd361-903d-41a8-8445-c2315bf11d00", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "90f8968a-0580-4a62-9014-10d3b7efa595", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "keycloak-graphdb-user-replicator", + "jboss-logging" + ], + "enabledEventTypes": [ + "SEND_RESET_PASSWORD", + "UPDATE_CONSENT_ERROR", + "GRANT_CONSENT", + "VERIFY_PROFILE_ERROR", + "REMOVE_TOTP", + "REVOKE_GRANT", + "UPDATE_TOTP", + "LOGIN_ERROR", + "CLIENT_LOGIN", + "RESET_PASSWORD_ERROR", + "IMPERSONATE_ERROR", + "CODE_TO_TOKEN_ERROR", + "CUSTOM_REQUIRED_ACTION", + "OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR", + "RESTART_AUTHENTICATION", + "IMPERSONATE", + "UPDATE_PROFILE_ERROR", + "LOGIN", + "OAUTH2_DEVICE_VERIFY_USER_CODE", + "UPDATE_PASSWORD_ERROR", + "CLIENT_INITIATED_ACCOUNT_LINKING", + "TOKEN_EXCHANGE", + "AUTHREQID_TO_TOKEN", + "LOGOUT", + "REGISTER", + "DELETE_ACCOUNT_ERROR", + "CLIENT_REGISTER", + "IDENTITY_PROVIDER_LINK_ACCOUNT", + "DELETE_ACCOUNT", + "UPDATE_PASSWORD", + "CLIENT_DELETE", + "FEDERATED_IDENTITY_LINK_ERROR", + "IDENTITY_PROVIDER_FIRST_LOGIN", + "CLIENT_DELETE_ERROR", + "VERIFY_EMAIL", + "CLIENT_LOGIN_ERROR", + "RESTART_AUTHENTICATION_ERROR", + "EXECUTE_ACTIONS", + "REMOVE_FEDERATED_IDENTITY_ERROR", + "TOKEN_EXCHANGE_ERROR", + "PERMISSION_TOKEN", + "SEND_IDENTITY_PROVIDER_LINK_ERROR", + "EXECUTE_ACTION_TOKEN_ERROR", + "SEND_VERIFY_EMAIL", + "OAUTH2_DEVICE_AUTH", + "EXECUTE_ACTIONS_ERROR", + "REMOVE_FEDERATED_IDENTITY", + "OAUTH2_DEVICE_CODE_TO_TOKEN", + "IDENTITY_PROVIDER_POST_LOGIN", + "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", + "OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR", + "UPDATE_EMAIL", + "REGISTER_ERROR", + "REVOKE_GRANT_ERROR", + "EXECUTE_ACTION_TOKEN", + "LOGOUT_ERROR", + "UPDATE_EMAIL_ERROR", + "CLIENT_UPDATE_ERROR", + "AUTHREQID_TO_TOKEN_ERROR", + "UPDATE_PROFILE", + "CLIENT_REGISTER_ERROR", + "FEDERATED_IDENTITY_LINK", + "SEND_IDENTITY_PROVIDER_LINK", + "SEND_VERIFY_EMAIL_ERROR", + "RESET_PASSWORD", + "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", + "OAUTH2_DEVICE_AUTH_ERROR", + "UPDATE_CONSENT", + "REMOVE_TOTP_ERROR", + "VERIFY_EMAIL_ERROR", + "SEND_RESET_PASSWORD_ERROR", + "CLIENT_UPDATE", + "CUSTOM_REQUIRED_ACTION_ERROR", + "IDENTITY_PROVIDER_POST_LOGIN_ERROR", + "UPDATE_TOTP_ERROR", + "CODE_TO_TOKEN", + "VERIFY_PROFILE", + "GRANT_CONSENT_ERROR", + "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" + ], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "0024cb31-cba8-4efd-928d-c543cd978c12", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-property-mapper", + "saml-user-attribute-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-full-name-mapper", + "oidc-address-mapper" + ] + } + }, + { + "id": "434838d4-602c-4392-9a19-6465921375dc", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "cf7c45d4-737f-41f2-b619-d076e9ed19f3", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "eab30394-71a5-43fb-9404-2800ff59813f", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "c0712d9d-6697-4e1c-bd8d-7dbdf65a86cd", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "7a818699-55f7-4d55-ad9a-54047c5e538e", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "4589bb87-cc19-45ce-8d9b-9c2e0d37d017", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "3e8d26d9-c0f5-483b-8491-e807fa7f7838", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-full-name-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-address-mapper", + "oidc-usermodel-property-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "e205ca5d-64e2-48a2-9c44-3f11d50f7452", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "f3536ac8-4409-49b1-b9db-ea097b771be9", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "798cf67a-bffb-4659-9398-f5d43eab375d", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "99879e83-f159-40ca-bf9b-737147563977", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "8a6ebb89-0f91-4833-9778-bd90d44c5430", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "99eccaad-7787-4e29-ae0c-ea935627df4c", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "f9ef7d3d-9893-4cd4-b90c-e4b3cf4b51cf", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "ea32b847-8006-47d4-8276-37c549afc4f2", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "6af929be-ed91-4731-9962-c7633260677a", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "4d11b421-4a8c-4b66-a361-e41c3a3f0048", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "d657307f-9a32-4b09-8367-34462d6e3ddc", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "8d507ef8-2633-43b0-b67b-ff615a2b2e60", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "8d82372a-8b01-4052-adea-f100ac15ec35", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "b6b414ce-fd25-43b1-8755-b2ec949c4914", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "82d2a8dc-ca8b-49ba-8507-3981c2e62e20", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "adce43bb-4768-4be5-b548-da4c8119fdfe", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "b7c0458f-63d4-4a3c-a0bb-5016e1f01e2b", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "46ec6b88-c1c7-4751-8733-2f50dc059189", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "68a7ddf3-e07d-48de-937d-e5809fd552a0", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "a38450af-8671-48c0-bfb0-0679ea825907", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "088952d0-860e-4487-8430-04b4c66faba0", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "b0126146-ccd9-4fc3-b5aa-86a39893432a", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "84a1cd7c-639a-4a2f-a153-a79b22b35888", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "01b55c16-4825-4bdf-9a27-5753af452164", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "parRequestUriLifespan": "60", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "22.0.5", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} \ No newline at end of file diff --git a/src/main/java/cz/cvut/kbss/study/model/PatientRecord.java b/src/main/java/cz/cvut/kbss/study/model/PatientRecord.java index 9a08a6a2..f64db877 100644 --- a/src/main/java/cz/cvut/kbss/study/model/PatientRecord.java +++ b/src/main/java/cz/cvut/kbss/study/model/PatientRecord.java @@ -1,13 +1,25 @@ package cz.cvut.kbss.study.model; -import cz.cvut.kbss.jopa.model.annotations.*; +import cz.cvut.kbss.jopa.model.annotations.CascadeType; +import cz.cvut.kbss.jopa.model.annotations.FetchType; +import cz.cvut.kbss.jopa.model.annotations.Id; +import cz.cvut.kbss.jopa.model.annotations.OWLAnnotationProperty; +import cz.cvut.kbss.jopa.model.annotations.OWLClass; +import cz.cvut.kbss.jopa.model.annotations.OWLDataProperty; +import cz.cvut.kbss.jopa.model.annotations.OWLObjectProperty; +import cz.cvut.kbss.jopa.model.annotations.ParticipationConstraints; import cz.cvut.kbss.study.model.qam.Question; import cz.cvut.kbss.study.model.util.HasOwlKey; +import java.io.Serializable; +import java.net.URI; import java.util.Date; @OWLClass(iri = Vocabulary.s_c_patient_record) -public class PatientRecord extends AbstractEntity implements HasOwlKey { +public class PatientRecord implements Serializable, HasOwlKey { + + @Id + private URI uri; @ParticipationConstraints(nonEmpty = true) @OWLDataProperty(iri = Vocabulary.s_p_key) @@ -40,6 +52,14 @@ public class PatientRecord extends AbstractEntity implements HasOwlKey { CascadeType.REMOVE}, fetch = FetchType.EAGER) private Question question; + public URI getUri() { + return uri; + } + + public void setUri(URI uri) { + this.uri = uri; + } + @Override public String getKey() { return key; diff --git a/src/main/java/cz/cvut/kbss/study/model/User.java b/src/main/java/cz/cvut/kbss/study/model/User.java index c5b44431..98f89467 100644 --- a/src/main/java/cz/cvut/kbss/study/model/User.java +++ b/src/main/java/cz/cvut/kbss/study/model/User.java @@ -144,6 +144,11 @@ public void setTypes(Set types) { this.types = types; } + public void addType(String type) { + assert types != null; + getTypes().add(type); + } + public String getToken() { return token; } public void setToken(String token) { this.token = token; } diff --git a/src/main/java/cz/cvut/kbss/study/persistence/dao/PatientRecordDao.java b/src/main/java/cz/cvut/kbss/study/persistence/dao/PatientRecordDao.java index b36ba023..1ff0525b 100644 --- a/src/main/java/cz/cvut/kbss/study/persistence/dao/PatientRecordDao.java +++ b/src/main/java/cz/cvut/kbss/study/persistence/dao/PatientRecordDao.java @@ -1,13 +1,20 @@ package cz.cvut.kbss.study.persistence.dao; +import cz.cvut.kbss.jopa.exceptions.NoResultException; import cz.cvut.kbss.jopa.model.EntityManager; +import cz.cvut.kbss.jopa.model.descriptors.Descriptor; +import cz.cvut.kbss.jopa.model.descriptors.EntityDescriptor; +import cz.cvut.kbss.jopa.model.metamodel.EntityType; import cz.cvut.kbss.study.dto.PatientRecordDto; +import cz.cvut.kbss.study.exception.PersistenceException; import cz.cvut.kbss.study.exception.ValidationException; import cz.cvut.kbss.study.model.Institution; import cz.cvut.kbss.study.model.PatientRecord; import cz.cvut.kbss.study.model.User; import cz.cvut.kbss.study.model.Vocabulary; import cz.cvut.kbss.study.persistence.dao.util.QuestionSaver; +import cz.cvut.kbss.study.util.Constants; +import cz.cvut.kbss.study.util.IdentificationUtils; import org.springframework.stereotype.Repository; import java.math.BigInteger; @@ -22,20 +29,72 @@ public PatientRecordDao(EntityManager em) { super(PatientRecord.class, em); } + @Override + public PatientRecord find(URI uri) { + Objects.requireNonNull(uri); + try { + return em.find(PatientRecord.class, uri, getDescriptor(uri)); + } catch (RuntimeException e) { + throw new PersistenceException(e); + } + } + + @Override + public PatientRecord findByKey(String key) { + Objects.requireNonNull(key); + try { + return em.createQuery("SELECT r FROM " + PatientRecord.class.getSimpleName() + " r WHERE r.key = :key", + type) + .setParameter("key", key, Constants.PU_LANGUAGE) + .setDescriptor(getDescriptor(key)).getSingleResult(); + } catch (NoResultException e) { + return null; + } + } + @Override public void persist(PatientRecord entity) { - super.persist(entity); - final QuestionSaver questionSaver = new QuestionSaver(); - questionSaver.persistIfNecessary(entity.getQuestion(), em); + Objects.requireNonNull(entity); + entity.setKey(IdentificationUtils.generateKey()); + entity.setUri(generateRecordUriFromKey(entity.getKey())); + try { + final Descriptor descriptor = getDescriptor(entity.getUri()); + em.persist(entity, descriptor); + final QuestionSaver questionSaver = new QuestionSaver(descriptor); + questionSaver.persistIfNecessary(entity.getQuestion(), em); + } catch (RuntimeException e) { + throw new PersistenceException(e); + } + } + + private Descriptor getDescriptor(String recordKey) { + return getDescriptor(generateRecordUriFromKey(recordKey)); + } + + private Descriptor getDescriptor(URI ctx) { + final EntityDescriptor descriptor = new EntityDescriptor(ctx); + final EntityType et = em.getMetamodel().entity(PatientRecord.class); + descriptor.addAttributeContext(et.getAttribute("author"), null); + descriptor.addAttributeContext(et.getAttribute("lastModifiedBy"), null); + descriptor.addAttributeContext(et.getAttribute("institution"), null); + return descriptor; + } + + public static URI generateRecordUriFromKey(String recordKey) { + return URI.create(Vocabulary.s_c_patient_record + "/" + Objects.requireNonNull(recordKey)); } @Override public void update(PatientRecord entity) { Objects.requireNonNull(entity); - final PatientRecord orig = em.find(PatientRecord.class, entity.getUri()); + final Descriptor descriptor = getDescriptor(entity.getUri()); + final PatientRecord orig = em.find(PatientRecord.class, entity.getUri(), descriptor); assert orig != null; orig.setQuestion(null); - em.merge(entity); + em.merge(entity, descriptor); + // Evict cached instances loaded from the default context + em.getEntityManagerFactory().getCache().evict(PatientRecord.class, entity.getUri(), null); + em.getEntityManagerFactory().getCache().evict(PatientRecordDto.class, entity.getUri(), null); } public List findAllRecords() { @@ -104,5 +163,4 @@ public void requireUniqueNonEmptyLocalName(PatientRecord entity) { "Local name of record is not unique for entity " + entity); } } - } diff --git a/src/main/java/cz/cvut/kbss/study/persistence/dao/formgen/FormGenDao.java b/src/main/java/cz/cvut/kbss/study/persistence/dao/formgen/FormGenDao.java index 2991449f..ec652200 100644 --- a/src/main/java/cz/cvut/kbss/study/persistence/dao/formgen/FormGenDao.java +++ b/src/main/java/cz/cvut/kbss/study/persistence/dao/formgen/FormGenDao.java @@ -5,6 +5,7 @@ import cz.cvut.kbss.jopa.model.descriptors.Descriptor; import cz.cvut.kbss.jopa.model.descriptors.EntityDescriptor; import cz.cvut.kbss.study.model.PatientRecord; +import cz.cvut.kbss.study.persistence.dao.PatientRecordDao; import cz.cvut.kbss.study.persistence.dao.util.QuestionSaver; import cz.cvut.kbss.study.util.Constants; import cz.cvut.kbss.study.util.IdentificationUtils; @@ -60,6 +61,7 @@ public URI persist(List records) { private void initRequiredFieldsIfNecessary(PatientRecord record) { if (record.getKey() == null) { // Happens for unpersisted records record.setKey(IdentificationUtils.generateKey()); + record.setUri(PatientRecordDao.generateRecordUriFromKey(record.getKey())); } } diff --git a/src/main/java/cz/cvut/kbss/study/persistence/dao/util/QuestionSaver.java b/src/main/java/cz/cvut/kbss/study/persistence/dao/util/QuestionSaver.java index 06c0fa96..d5b74ae5 100644 --- a/src/main/java/cz/cvut/kbss/study/persistence/dao/util/QuestionSaver.java +++ b/src/main/java/cz/cvut/kbss/study/persistence/dao/util/QuestionSaver.java @@ -6,6 +6,7 @@ import java.net.URI; import java.util.HashSet; +import java.util.Objects; import java.util.Set; /** @@ -16,14 +17,10 @@ public class QuestionSaver { private final Descriptor descriptor; - private Set visited = new HashSet<>(); - - public QuestionSaver() { - this.descriptor = null; - } + private final Set visited = new HashSet<>(); public QuestionSaver(Descriptor descriptor) { - this.descriptor = descriptor; + this.descriptor = Objects.requireNonNull(descriptor); } public void persistIfNecessary(Question root, EntityManager em) { @@ -33,24 +30,16 @@ public void persistIfNecessary(Question root, EntityManager em) { if (visited.contains(root.getUri())) { return; } - persist(root, em); + em.persist(root, descriptor); visited.add(root.getUri()); root.getSubQuestions().forEach(q -> this.persistSubQuestionIfNecessary(q, em)); } - private void persist(Question question, EntityManager em) { - if (descriptor != null) { - em.persist(question, descriptor); - } else { - em.persist(question); - } - } - private void persistSubQuestionIfNecessary(Question question, EntityManager em) { if (visited.contains(question.getUri())) { return; } - persist(question, em); + em.persist(question, descriptor); visited.add(question.getUri()); question.getSubQuestions().forEach(q -> persistSubQuestionIfNecessary(q, em)); } diff --git a/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java b/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java index 3504e5b8..c55d3f21 100644 --- a/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java +++ b/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java @@ -1,15 +1,20 @@ package cz.cvut.kbss.study.rest; +import cz.cvut.kbss.study.model.Institution; import cz.cvut.kbss.study.model.User; import cz.cvut.kbss.study.security.SecurityConstants; +import cz.cvut.kbss.study.service.InstitutionService; import cz.cvut.kbss.study.service.UserService; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.http.MediaType; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; +import java.util.List; + /** * API for getting basic user info. *

@@ -22,8 +27,11 @@ public class OidcUserController extends BaseController { private final UserService userService; - public OidcUserController(UserService userService) { + private final InstitutionService institutionService; + + public OidcUserController(UserService userService, InstitutionService institutionService) { this.userService = userService; + this.institutionService = institutionService; } @PreAuthorize("hasRole('" + SecurityConstants.ROLE_USER + "')") @@ -31,4 +39,18 @@ public OidcUserController(UserService userService) { public User getCurrent() { return userService.getCurrentUser(); } + + @PreAuthorize( + "hasRole('" + SecurityConstants.ROLE_ADMIN + "') " + + "or hasRole('" + SecurityConstants.ROLE_USER + "') and @securityUtils.isMemberOfInstitution(#institutionKey)") + @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE) + public List getUsers(@RequestParam(value = "institution", required = false) String institutionKey) { + return institutionKey != null ? getByInstitution(institutionKey) : userService.findAll(); + } + + private List getByInstitution(String institutionKey) { + assert institutionKey != null; + final Institution institution = institutionService.findByKey(institutionKey); + return userService.findByInstitution(institution); + } } diff --git a/src/main/java/cz/cvut/kbss/study/rest/handler/RestExceptionHandler.java b/src/main/java/cz/cvut/kbss/study/rest/handler/RestExceptionHandler.java index 0a97bfa7..894d58f2 100644 --- a/src/main/java/cz/cvut/kbss/study/rest/handler/RestExceptionHandler.java +++ b/src/main/java/cz/cvut/kbss/study/rest/handler/RestExceptionHandler.java @@ -87,7 +87,7 @@ void logException(HttpServletRequest request, RuntimeException e) { LOG.debug( String.format( "Request to '%s' failed due to error: %s", - request.getPathInfo(), + request.getRequestURI(), e.getMessage() ) ); diff --git a/src/main/java/cz/cvut/kbss/study/security/model/Role.java b/src/main/java/cz/cvut/kbss/study/security/model/Role.java new file mode 100644 index 00000000..4b794953 --- /dev/null +++ b/src/main/java/cz/cvut/kbss/study/security/model/Role.java @@ -0,0 +1,36 @@ +package cz.cvut.kbss.study.security.model; + +import cz.cvut.kbss.study.model.Vocabulary; +import cz.cvut.kbss.study.security.SecurityConstants; + +import java.util.Optional; +import java.util.stream.Stream; + +public enum Role { + USER(SecurityConstants.ROLE_USER, Vocabulary.s_c_doctor), + ADMIN(SecurityConstants.ROLE_ADMIN, Vocabulary.s_c_administrator); + + private final String name; + private final String type; + + Role(String name, String type) { + this.name = name; + this.type = type; + } + + public static Optional forType(String type) { + return Stream.of(Role.values()).filter(r -> r.type.equals(type)).findAny(); + } + + public static Optional forName(String name) { + return Stream.of(Role.values()).filter(r -> r.name.equals(name)).findAny(); + } + + public String getName() { + return name; + } + + public String getType() { + return type; + } +} diff --git a/src/main/java/cz/cvut/kbss/study/security/model/UserDetails.java b/src/main/java/cz/cvut/kbss/study/security/model/UserDetails.java index 91a843fc..78eb1eac 100644 --- a/src/main/java/cz/cvut/kbss/study/security/model/UserDetails.java +++ b/src/main/java/cz/cvut/kbss/study/security/model/UserDetails.java @@ -1,34 +1,23 @@ package cz.cvut.kbss.study.security.model; import cz.cvut.kbss.study.model.User; -import cz.cvut.kbss.study.model.Vocabulary; import cz.cvut.kbss.study.security.SecurityConstants; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import java.util.Collection; import java.util.Collections; -import java.util.HashMap; import java.util.HashSet; -import java.util.Map; import java.util.Objects; +import java.util.Optional; import java.util.Set; public class UserDetails implements org.springframework.security.core.userdetails.UserDetails { - private static final Map ROLE_MAPPING = initRoleMapping(); - private final User user; private final Set authorities; - private static Map initRoleMapping() { - final Map result = new HashMap<>(); - result.put(Vocabulary.s_c_administrator, SecurityConstants.ROLE_ADMIN); - result.put(Vocabulary.s_c_doctor, SecurityConstants.ROLE_USER); - return result; - } - public UserDetails(User user) { Objects.requireNonNull(user); this.user = user; @@ -46,8 +35,12 @@ public UserDetails(User user, Collection authorities) { } private void resolveRoles() { - authorities.addAll(ROLE_MAPPING.entrySet().stream().filter(e -> user.getTypes().contains(e.getKey())) - .map(e -> new SimpleGrantedAuthority(e.getValue())).toList()); + authorities.addAll( + user.getTypes().stream() + .map(Role::forType) + .filter(Optional::isPresent) + .map(r -> new SimpleGrantedAuthority(r.get().getName())) + .toList()); authorities.add(new SimpleGrantedAuthority(SecurityConstants.ROLE_USER)); } diff --git a/src/main/java/cz/cvut/kbss/study/service/security/SecurityUtils.java b/src/main/java/cz/cvut/kbss/study/service/security/SecurityUtils.java index 0322cb99..fd51a950 100644 --- a/src/main/java/cz/cvut/kbss/study/service/security/SecurityUtils.java +++ b/src/main/java/cz/cvut/kbss/study/service/security/SecurityUtils.java @@ -1,10 +1,14 @@ package cz.cvut.kbss.study.service.security; +import cz.cvut.kbss.study.exception.NotFoundException; import cz.cvut.kbss.study.model.PatientRecord; import cz.cvut.kbss.study.model.User; import cz.cvut.kbss.study.persistence.dao.PatientRecordDao; import cz.cvut.kbss.study.persistence.dao.UserDao; +import cz.cvut.kbss.study.security.model.Role; import cz.cvut.kbss.study.security.model.UserDetails; +import cz.cvut.kbss.study.service.ConfigReader; +import cz.cvut.kbss.study.util.oidc.OidcGrantedAuthoritiesExtractor; import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.context.SecurityContext; @@ -15,6 +19,7 @@ import org.springframework.stereotype.Service; import java.util.List; +import java.util.Optional; @Service public class SecurityUtils { @@ -23,9 +28,12 @@ public class SecurityUtils { private final PatientRecordDao patientRecordDao; - public SecurityUtils(UserDao userDao, PatientRecordDao patientRecordDao) { + private final ConfigReader config; + + public SecurityUtils(UserDao userDao, PatientRecordDao patientRecordDao, ConfigReader config) { this.userDao = userDao; this.patientRecordDao = patientRecordDao; + this.config = config; } /** @@ -70,7 +78,13 @@ public User getCurrentUser() { private User resolveAccountFromOAuthPrincipal(Jwt principal) { final OidcUserInfo userInfo = new OidcUserInfo(principal.getClaims()); - return userDao.findByUsername(userInfo.getPreferredUsername()); + final List roles = new OidcGrantedAuthoritiesExtractor(config).extractRoles(principal); + final User user = userDao.findByUsername(userInfo.getPreferredUsername()); + if (user == null) { + throw new NotFoundException("User with username '" + userInfo.getPreferredUsername() + "' not found in repository."); + } + roles.stream().map(Role::forName).filter(Optional::isPresent).forEach(r -> user.addType(r.get().getType())); + return user; } /** diff --git a/src/main/java/cz/cvut/kbss/study/util/oidc/OidcGrantedAuthoritiesExtractor.java b/src/main/java/cz/cvut/kbss/study/util/oidc/OidcGrantedAuthoritiesExtractor.java index 4ea00937..136a4401 100644 --- a/src/main/java/cz/cvut/kbss/study/util/oidc/OidcGrantedAuthoritiesExtractor.java +++ b/src/main/java/cz/cvut/kbss/study/util/oidc/OidcGrantedAuthoritiesExtractor.java @@ -4,6 +4,7 @@ import cz.cvut.kbss.study.util.ConfigParam; import org.springframework.core.convert.converter.Converter; import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.oauth2.core.ClaimAccessor; import org.springframework.security.oauth2.jwt.Jwt; import java.util.Collection; @@ -21,6 +22,10 @@ public OidcGrantedAuthoritiesExtractor(ConfigReader config) { @Override public Collection convert(Jwt source) { + return extractRoles(source).stream().map(SimpleGrantedAuthority::new).toList(); + } + + public List extractRoles(ClaimAccessor source) { final String rolesClaim = config.getConfig(ConfigParam.OIDC_ROLE_CLAIM); final String[] parts = rolesClaim.split("\\."); assert parts.length > 0; @@ -40,6 +45,6 @@ public Collection convert(Jwt source) { } roles = (List) map.getOrDefault(parts[parts.length - 1], Collections.emptyList()); } - return roles.stream().map(SimpleGrantedAuthority::new).toList(); + return roles; } } diff --git a/src/test/java/cz/cvut/kbss/study/environment/generator/Generator.java b/src/test/java/cz/cvut/kbss/study/environment/generator/Generator.java index 1df9c03f..77b67ac7 100644 --- a/src/test/java/cz/cvut/kbss/study/environment/generator/Generator.java +++ b/src/test/java/cz/cvut/kbss/study/environment/generator/Generator.java @@ -2,15 +2,19 @@ import cz.cvut.kbss.study.dto.PatientRecordDto; import cz.cvut.kbss.study.model.*; +import cz.cvut.kbss.study.model.qam.Answer; +import cz.cvut.kbss.study.model.qam.Question; import java.net.URI; import java.util.Collection; import java.util.Date; +import java.util.HashSet; import java.util.Random; +import java.util.Set; public class Generator { - private static Random random = new Random(); + private static final Random random = new Random(); private Generator() { throw new AssertionError(); @@ -133,11 +137,11 @@ public static User getUser(String username, String password, String firstName, S */ public static User generateUser(Institution institution){ final User person = new User(); - person.setUsername("RandomUsername" + Integer.toString(randomInt())); - person.setPassword("RandomPassword" + Integer.toString(randomInt())); - person.setFirstName("RandomFirstName" + Integer.toString(randomInt())); - person.setLastName("RandomLastName" + Integer.toString(randomInt())); - person.setEmailAddress("RandomEmail" + Integer.toString(randomInt()) + "@random.rand"); + person.setUsername("RandomUsername" + randomInt()); + person.setPassword("RandomPassword" + randomInt()); + person.setFirstName("RandomFirstName" + randomInt()); + person.setLastName("RandomLastName" + randomInt()); + person.setEmailAddress("RandomEmail" + randomInt() + "@random.rand"); person.setInstitution(institution); return person; } @@ -149,7 +153,7 @@ public static User generateUser(Institution institution){ */ public static Institution generateInstitution() { final Institution org = new Institution(); - org.setName("RandomInstitution" + Integer.toString(randomInt())); + org.setName("RandomInstitution" + randomInt()); org.setUri(generateUri()); return org; } @@ -163,7 +167,7 @@ public static Institution generateInstitution() { public static PatientRecord generatePatientRecord(User author) { final PatientRecord rec = new PatientRecord(); rec.setAuthor(author); - rec.setLocalName("RandomRecord" + Integer.toString(randomInt())); + rec.setLocalName("RandomRecord" + randomInt()); rec.setUri(generateUri()); rec.setInstitution(author.getInstitution()); return rec; @@ -177,7 +181,7 @@ public static PatientRecord generatePatientRecord(User author) { */ public static PatientRecordDto generatePatientRecordDto(User author) { final PatientRecordDto rec = new PatientRecordDto(); - rec.setLocalName("RandomRecordDto" + Integer.toString(randomInt())); + rec.setLocalName("RandomRecordDto" + randomInt()); rec.setAuthor(author); rec.setUri(generateUri()); rec.setInstitution(author.getInstitution()); @@ -193,8 +197,32 @@ public static ActionHistory generateActionHistory(User author) { final ActionHistory action = new ActionHistory(); action.setAuthor(author); action.setTimestamp(randomDate()); - action.setType("RANDOM_TYPE_" + Integer.toString(randomInt())); - action.setPayload("RandomPayload" + Integer.toString(randomInt())); + action.setType("RANDOM_TYPE_" + randomInt()); + action.setPayload("RandomPayload" + randomInt()); return action; } + + public static Question generateQuestionAnswerTree() { + final Question root = new Question(); + root.setOrigin(Generator.generateUri()); + final Question childOne = new Question(); + childOne.setOrigin(Generator.generateUri()); + childOne.setAnswers(Set.of(generateAnswer())); + root.setSubQuestions(new HashSet<>(Set.of(childOne))); + final Question childTwo = new Question(); + childTwo.setOrigin(Generator.generateUri()); + childTwo.setAnswers(Set.of(generateAnswer())); + root.getSubQuestions().add(childTwo); + return root; + } + + private static Answer generateAnswer() { + final Answer childOneAnswer = new Answer(); + if (randomBoolean()) { + childOneAnswer.setCodeValue(Generator.generateUri()); + } else { + childOneAnswer.setTextValue("Child one answer"); + } + return childOneAnswer; + } } diff --git a/src/test/java/cz/cvut/kbss/study/persistence/dao/PatientRecordDaoTest.java b/src/test/java/cz/cvut/kbss/study/persistence/dao/PatientRecordDaoTest.java index 625d851e..9713bc62 100644 --- a/src/test/java/cz/cvut/kbss/study/persistence/dao/PatientRecordDaoTest.java +++ b/src/test/java/cz/cvut/kbss/study/persistence/dao/PatientRecordDaoTest.java @@ -1,22 +1,33 @@ package cz.cvut.kbss.study.persistence.dao; +import cz.cvut.kbss.jopa.model.EntityManager; +import cz.cvut.kbss.jopa.model.descriptors.Descriptor; +import cz.cvut.kbss.jopa.model.descriptors.EntityDescriptor; +import cz.cvut.kbss.jopa.model.metamodel.EntityType; import cz.cvut.kbss.study.dto.PatientRecordDto; import cz.cvut.kbss.study.environment.generator.Generator; import cz.cvut.kbss.study.model.Institution; import cz.cvut.kbss.study.model.PatientRecord; import cz.cvut.kbss.study.model.User; +import cz.cvut.kbss.study.model.qam.Answer; import cz.cvut.kbss.study.persistence.BaseDaoTestRunner; -import java.util.List; - +import cz.cvut.kbss.study.persistence.dao.util.QuestionSaver; +import cz.cvut.kbss.study.util.IdentificationUtils; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; +import java.util.List; + import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; public class PatientRecordDaoTest extends BaseDaoTestRunner { @Autowired - private PatientRecordDao patientRecordDao; + private EntityManager em; + + @Autowired + private PatientRecordDao sut; @Autowired private UserDao userDao; @@ -39,12 +50,12 @@ public void findByInstitutionReturnsMatchingRecords() { institutionDao.persist(institutionOther); userDao.persist(user1); userDao.persist(user2); - patientRecordDao.persist(record1); - patientRecordDao.persist(record2); - patientRecordDao.persist(recordOther); + sut.persist(record1); + sut.persist(record2); + sut.persist(recordOther); }); - List records = patientRecordDao.findByInstitution(institution); + List records = sut.findByInstitution(institution); assertEquals(2, records.size()); assertEquals(1, records.stream().filter(rs -> record1.getUri().equals(rs.getUri())).count()); @@ -66,12 +77,12 @@ public void findAllRecordsReturnAllRecords() { institutionDao.persist(institution2); userDao.persist(user1); userDao.persist(user2); - patientRecordDao.persist(record1); - patientRecordDao.persist(record2); - patientRecordDao.persist(record3); + sut.persist(record1); + sut.persist(record2); + sut.persist(record3); }); - List records = patientRecordDao.findAllRecords(); + List records = sut.findAllRecords(); assertEquals(3, records.size()); } @@ -85,11 +96,11 @@ public void getNumberOfProcessedRecords() { transactional(() -> { institutionDao.persist(institution); userDao.persist(user); - patientRecordDao.persist(record1); - patientRecordDao.persist(record2); + sut.persist(record1); + sut.persist(record2); }); - int numberOfProcessedRecords = patientRecordDao.getNumberOfProcessedRecords(); + int numberOfProcessedRecords = sut.getNumberOfProcessedRecords(); assertEquals(2, numberOfProcessedRecords); } @@ -107,15 +118,117 @@ public void findByAuthorReturnsMatchingRecords() { institutionDao.persist(institution); userDao.persist(user1); userDao.persist(user2); - patientRecordDao.persist(record1); - patientRecordDao.persist(record2); - patientRecordDao.persist(record3); + sut.persist(record1); + sut.persist(record2); + sut.persist(record3); }); - List records1 = patientRecordDao.findByAuthor(user1); - List records2 = patientRecordDao.findByAuthor(user2); + List records1 = sut.findByAuthor(user1); + List records2 = sut.findByAuthor(user2); assertEquals(2, records1.size()); assertEquals(1, records2.size()); } -} \ No newline at end of file + + @Test + void persistGeneratesIdentifierBeforeSavingRecord() { + final Institution institution = Generator.generateInstitution(); + institution.setKey(IdentificationUtils.generateKey()); + final User author = Generator.generateUser(institution); + author.generateUri(); + transactional(() -> { + em.persist(author); + em.persist(institution); + }); + + final PatientRecord record = Generator.generatePatientRecord(author); + record.setUri(null); + + transactional(() -> sut.persist(record)); + assertNotNull(record.getUri()); + final PatientRecord result = em.find(PatientRecord.class, record.getUri()); + assertNotNull(result); + } + + private User generateAuthorWithInstitution() { + final Institution institution = Generator.generateInstitution(); + institution.setKey(IdentificationUtils.generateKey()); + final User author = Generator.generateUser(institution); + author.generateUri(); + transactional(() -> { + em.persist(author); + em.persist(institution); + }); + return author; + } + + @Test + void persistSavesRecordWithQuestionAnswerTreeIntoSeparateContext() { + final User author = generateAuthorWithInstitution(); + final PatientRecord record = Generator.generatePatientRecord(author); + record.setUri(null); + record.setQuestion(Generator.generateQuestionAnswerTree()); + + transactional(() -> sut.persist(record)); + + final Descriptor descriptor = getDescriptor(record); + final PatientRecord result = em.find(PatientRecord.class, record.getUri(), descriptor); + assertNotNull(result); + assertNotNull(result.getQuestion()); + } + + private Descriptor getDescriptor(PatientRecord record) { + final EntityType et = em.getMetamodel().entity(PatientRecord.class); + final Descriptor descriptor = new EntityDescriptor(PatientRecordDao.generateRecordUriFromKey(record.getKey())); + descriptor.addAttributeContext(et.getAttribute("author"), null); + descriptor.addAttributeContext(et.getAttribute("lastModifiedBy"), null); + descriptor.addAttributeContext(et.getAttribute("institution"), null); + return descriptor; + } + + @Test + void updateUpdatesRecordInContext() { + final User author = generateAuthorWithInstitution(); + final PatientRecord record = Generator.generatePatientRecord(author); + record.setKey(IdentificationUtils.generateKey()); + record.setUri(PatientRecordDao.generateRecordUriFromKey(record.getKey())); + record.setQuestion(Generator.generateQuestionAnswerTree()); + final Descriptor descriptor = getDescriptor(record); + transactional(() -> { + em.persist(record, descriptor); + new QuestionSaver(descriptor).persistIfNecessary(record.getQuestion(), em); + }); + + final String updatedName = "Updated name"; + record.setLocalName(updatedName); + final Answer answer = record.getQuestion().getSubQuestions().iterator().next().getAnswers().iterator().next(); + final String updatedAnswer = "Updated answer"; + answer.setTextValue(updatedAnswer); + + transactional(() -> sut.update(record)); + + final PatientRecord result = em.find(PatientRecord.class, record.getUri(), descriptor); + assertEquals(updatedName, result.getLocalName()); + final Answer resultAnswer = em.find(Answer.class, answer.getUri(), descriptor); + assertNotNull(resultAnswer); + assertEquals(updatedAnswer, resultAnswer.getTextValue()); + } + + @Test + void findByKeyLoadsRecordByKey() { + final User author = generateAuthorWithInstitution(); + final PatientRecord record = Generator.generatePatientRecord(author); + record.setKey(IdentificationUtils.generateKey()); + record.setQuestion(Generator.generateQuestionAnswerTree()); + final Descriptor descriptor = getDescriptor(record); + transactional(() -> { + em.persist(record, descriptor); + new QuestionSaver(descriptor).persistIfNecessary(record.getQuestion(), em); + }); + + final PatientRecord result = sut.findByKey(record.getKey()); + assertNotNull(result); + assertEquals(record.getUri(), result.getUri()); + assertNotNull(result.getQuestion()); + } +} diff --git a/src/test/java/cz/cvut/kbss/study/security/model/RoleTest.java b/src/test/java/cz/cvut/kbss/study/security/model/RoleTest.java new file mode 100644 index 00000000..b006c35c --- /dev/null +++ b/src/test/java/cz/cvut/kbss/study/security/model/RoleTest.java @@ -0,0 +1,44 @@ +package cz.cvut.kbss.study.security.model; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; + +import java.util.Optional; +import java.util.stream.Stream; + +import static org.junit.jupiter.api.Assertions.*; + +class RoleTest { + + static Stream generator() { + return Stream.of(Role.values()).map(Arguments::of); + } + + @ParameterizedTest + @MethodSource("generator") + void forTypeReturnsRoleMatchingSpecifiedType(Role r) { + final Optional result = Role.forType(r.getType()); + assertTrue(result.isPresent()); + assertEquals(r, result.get()); + } + + @Test + void forTypeReturnsEmptyOptionalForUnknownRoleType() { + assertTrue(Role.forType("unknownType").isEmpty()); + } + + @ParameterizedTest + @MethodSource("generator") + void forNameReturnsRoleMatchingSpecifiedRoleName(Role r) { + final Optional result = Role.forName(r.getName()); + assertTrue(result.isPresent()); + assertEquals(r, result.get()); + } + + @Test + void forNameReturnsEmptyOptionalForUnknownRoleName() { + assertTrue(Role.forName("unknownName").isEmpty()); + } +} \ No newline at end of file diff --git a/src/test/java/cz/cvut/kbss/study/service/security/SecurityUtilsTest.java b/src/test/java/cz/cvut/kbss/study/service/security/SecurityUtilsTest.java index bd88284b..4cdcdd11 100644 --- a/src/test/java/cz/cvut/kbss/study/service/security/SecurityUtilsTest.java +++ b/src/test/java/cz/cvut/kbss/study/service/security/SecurityUtilsTest.java @@ -5,9 +5,12 @@ import cz.cvut.kbss.study.model.Institution; import cz.cvut.kbss.study.model.PatientRecord; import cz.cvut.kbss.study.model.User; +import cz.cvut.kbss.study.model.Vocabulary; import cz.cvut.kbss.study.persistence.dao.PatientRecordDao; import cz.cvut.kbss.study.persistence.dao.UserDao; import cz.cvut.kbss.study.security.SecurityConstants; +import cz.cvut.kbss.study.service.ConfigReader; +import cz.cvut.kbss.study.util.ConfigParam; import cz.cvut.kbss.study.util.IdentificationUtils; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; @@ -26,6 +29,8 @@ import java.time.temporal.ChronoUnit; import java.util.List; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.hasItem; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -40,6 +45,9 @@ public class SecurityUtilsTest { @Mock private PatientRecordDao patientRecordDao; + @Mock + private ConfigReader config; + @InjectMocks private SecurityUtils sut; @@ -71,6 +79,7 @@ public void getCurrentUserReturnsCurrentlyLoggedInUser() { @Test void getCurrentUserRetrievesCurrentUserForOauthJwtAccessToken() { + when(config.getConfig(ConfigParam.OIDC_ROLE_CLAIM)).thenReturn("roles"); final Jwt token = Jwt.withTokenValue("abcdef12345") .header("alg", "RS256") .header("typ", "JWT") @@ -153,4 +162,25 @@ public void isRecordInUsersInstitutionReturnsFalseWhenRecordBelongsToInstitution assertFalse(sut.isRecordInUsersInstitution(record.getKey())); } + + @Test + void getCurrentUserEnhancesRetrievedUserWithTypesCorrespondingToRolesSpecifiedInJwtClaim() { + when(config.getConfig(ConfigParam.OIDC_ROLE_CLAIM)).thenReturn("roles"); + final Jwt token = Jwt.withTokenValue("abcdef12345") + .header("alg", "RS256") + .header("typ", "JWT") + .claim("roles", List.of(SecurityConstants.ROLE_ADMIN)) + .issuer("http://localhost:8080/termit") + .subject(USERNAME) + .claim("preferred_username", USERNAME) + .expiresAt(Instant.now().truncatedTo(ChronoUnit.SECONDS).plusSeconds(300)) + .build(); + SecurityContext context = new SecurityContextImpl(); + context.setAuthentication(new JwtAuthenticationToken(token)); + SecurityContextHolder.setContext(context); + when(userDao.findByUsername(user.getUsername())).thenReturn(user); + + final User result = sut.getCurrentUser(); + assertThat(result.getTypes(), hasItem(Vocabulary.s_c_administrator)); + } }