Skip to content
Snippets Groups Projects
Commit 87079e2b authored by Rohith's avatar Rohith
Browse files

- adding the realm roles into the user context

parent 169f93c8
No related branches found
No related tags found
No related merge requests found
...@@ -180,6 +180,8 @@ func (r *KeycloakProxy) authenticationHandler() gin.HandlerFunc { ...@@ -180,6 +180,8 @@ func (r *KeycloakProxy) authenticationHandler() gin.HandlerFunc {
} }
userContext.bearerToken = isBearer userContext.bearerToken = isBearer
log.Debugf("found user context: %s", userContext)
// step: check the audience for the token is us // step: check the audience for the token is us
if !userContext.isAudience(r.config.ClientID) { if !userContext.isAudience(r.config.ClientID) {
log.WithFields(log.Fields{ log.WithFields(log.Fields{
......
...@@ -32,6 +32,7 @@ const ( ...@@ -32,6 +32,7 @@ const (
claimPreferredName = "preferred_username" claimPreferredName = "preferred_username"
claimAudience = "aud" claimAudience = "aud"
claimResourceAccess = "resource_access" claimResourceAccess = "resource_access"
claimRealmAccess = "realm_access"
claimResourceRoles = "roles" claimResourceRoles = "roles"
) )
...@@ -156,6 +157,15 @@ func (r *KeycloakProxy) getUserContext(token jose.JWT) (*userContext, error) { ...@@ -156,6 +157,15 @@ func (r *KeycloakProxy) getUserContext(token jose.JWT) (*userContext, error) {
var list []string var list []string
// step: extract the realm roles
if realmRoles, found := claims[claimRealmAccess].(map[string]interface{}); found {
if roles, found := realmRoles[claimResourceRoles]; found {
for _, r := range roles.([]interface{}) {
list = append(list, fmt.Sprintf("%s", r))
}
}
}
// step: extract the roles from the access token // step: extract the roles from the access token
if accesses, found := claims[claimResourceAccess].(map[string]interface{}); found { if accesses, found := claims[claimResourceAccess].(map[string]interface{}); found {
for roleName, roleList := range accesses { for roleName, roleList := range accesses {
......
...@@ -65,6 +65,51 @@ func getFakeAccessToken(t *testing.T) jose.JWT { ...@@ -65,6 +65,51 @@ func getFakeAccessToken(t *testing.T) jose.JWT {
return testToken return testToken
} }
func getFakeRealmAccessToken(t *testing.T) jose.JWT {
testToken, err := jose.NewJWT(
jose.JOSEHeader{
"alg": "RS256",
},
jose.Claims{
"jti": "4ee75b8e-3ee6-4382-92d4-3390b4b4937b",
//"exp": "1450372969",
"nbf": 0,
"iat": "1450372669",
"iss": "https://keycloak.example.com/auth/realms/commons",
"aud": "test",
"sub": "1e11e539-8256-4b3b-bda8-cc0d56cddb48",
"typ": "Bearer",
"azp": "clientid",
"session_state": "98f4c3d2-1b8c-4932-b8c4-92ec0ea7e195",
"client_session": "f0105893-369a-46bc-9661-ad8c747b1a69",
"realm_access": map[string]interface{}{
"roles": []string{
"dsp-dev-vpn",
"vpn-user",
"dsp-prod-vpn",
},
},
"resource_access": map[string]interface{}{
"openvpn": map[string]interface{}{
"roles": []string{
"dev-vpn",
},
},
},
"email": "gambol99@gmail.com",
"name": "Rohith Jayawardene",
"family_name": "Jayawardene",
"preferred_username": "rjayawardene",
"given_name": "Rohith",
},
)
if err != nil {
t.Fatalf("unable to generate a token: %s", err)
}
return testToken
}
func TestGetUserContext(t *testing.T) { func TestGetUserContext(t *testing.T) {
proxy := newFakeKeycloakProxy(t) proxy := newFakeKeycloakProxy(t)
token := getFakeAccessToken(t) token := getFakeAccessToken(t)
...@@ -81,6 +126,23 @@ func TestGetUserContext(t *testing.T) { ...@@ -81,6 +126,23 @@ func TestGetUserContext(t *testing.T) {
} }
} }
func TestGetUserRealmRoleContext(t *testing.T) {
proxy := newFakeKeycloakProxy(t)
token := getFakeRealmAccessToken(t)
context, err := proxy.getUserContext(token)
assert.NoError(t, err)
assert.NotNil(t, context)
assert.Equal(t, "1e11e539-8256-4b3b-bda8-cc0d56cddb48", context.id)
assert.Equal(t, "gambol99@gmail.com", context.email)
assert.Equal(t, "rjayawardene", context.preferredName)
roles := []string{"dsp-dev-vpn", "vpn-user", "dsp-prod-vpn", "openvpn:dev-vpn"}
if !reflect.DeepEqual(context.roles, roles) {
t.Errorf("the claims are not the same, %v <-> %v", context.roles, roles)
}
}
func TestGetSessionToken(t *testing.T) { func TestGetSessionToken(t *testing.T) {
proxy := newFakeKeycloakProxy(t) proxy := newFakeKeycloakProxy(t)
token := getFakeAccessToken(t) token := getFakeAccessToken(t)
......
...@@ -16,6 +16,7 @@ limitations under the License. ...@@ -16,6 +16,7 @@ limitations under the License.
package main package main
import ( import (
"fmt"
"strings" "strings"
"time" "time"
...@@ -69,3 +70,8 @@ func (r userContext) isExpired() bool { ...@@ -69,3 +70,8 @@ func (r userContext) isExpired() bool {
func (r userContext) isBearerToken() bool { func (r userContext) isBearerToken() bool {
return r.bearerToken return r.bearerToken
} }
func (r userContext) String() string {
return fmt.Sprintf("user: %s, expires: %s, roles: %s", r.preferredName, r.expiresAt.String(),
strings.Join(r.roles, ""))
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment