Merge pull request #8072 from weseek/feat/123280-130394-keycloak-group-sync-exec

Feat/123280 130394 keycloak group sync exec

apps/app/package.json

@@ -76,10 +76,11 @@
     "@growi/slack": "link:../../packages/slack",
     "@promster/express": "^7.0.6",
     "@promster/server": "^7.0.8",
+    "@s3pweb/keycloak-admin-client-cjs": "^22.0.1",
     "@slack/web-api": "^6.2.4",
     "@slack/webhook": "^6.0.0",
-    "@types/ldapjs": "^2.2.5",
     "@types/jest": "^29.5.2",
+    "@types/ldapjs": "^2.2.5",
     "JSONStream": "^1.3.5",
     "archiver": "^5.3.0",
     "array.prototype.flatmap": "^1.2.2",

apps/app/public/static/locales/en_US/admin.json

@@ -1061,8 +1061,11 @@
     "execute_sync": "Execute Sync",
     "sync": "Sync",
     "invalid_sync_settings": "Invalid sync settings",
+    "update_sync_settings_failed": "Failed to update sync settings",
     "description_form_detail": "Please note that edited value will be overwritten on next sync if description mapper is set in sync settings",
     "only_description_edit_allowed": "Only description can be edited for external user groups",
+    "sync_succeeded": "Sync succeeded",
+    "sync_failed": "Sync failed",
     "ldap": {
       "group_sync_settings": "LDAP Group Sync Settings",
       "group_search_base_DN": "Group Search Base DN",
@@ -1076,7 +1079,6 @@
       "preserve_deleted_ldap_groups": "Preserve Deleted LDAP Groups",
       "name_mapper_detail": "Attribute to map as group name",
       "updated_group_sync_settings": "Updated LDAP group sync settings",
-      "sync_succeeded": "Sync succeeded",
       "password": "Password",
       "password_detail": "Login password is necessary because Bind type is set to User Bind",
       "circular_reference": "Sync failed because there is a possible circular reference in your LDAP group tree structure",
@@ -1087,16 +1089,17 @@
       "group_sync_settings": "Keycloak Group Sync Settings",
       "host": "Host",
       "host_detail": "Keycloak host URL",
-      "realm": "Realm",
-      "realm_detail": "Realm that contains the groups to sync",
-      "group_sync_client_name": "Group Sync Client Name",
-      "group_sync_client_name_detail": "Name of the client in the master realm to use for group sync",
-      "group_sync_client_id": "Group Sync Client ID",
-      "group_sync_client_id_detail": "ID of the client in the master realm to use for group sync",
-      "group_sync_client_secret": "Group Sync Client Secret",
-      "group_sync_client_secret_detail": "Secret of the client in the master realm to use for group sync",
+      "group_realm": "Group Realm",
+      "group_realm_detail": "Realm that contains the groups to sync",
+      "group_sync_client_realm": "Realm of client used to request to Admin API",
+      "group_sync_client_realm_detail": "Realm that contains the client used to authenticate to request to Keycloak admin API",
+      "group_sync_client_id": "Client ID",
+      "group_sync_client_id_detail": "Id of the client used to authenticate to request to Keycloak admin API",
+      "group_sync_client_secret": "Client Secret",
+      "group_sync_client_secret_detail": "Id of the secret used to authenticate to request to Keycloak admin API",
       "updated_group_sync_settings": "Updated Keycloak group sync settings",
-      "preserve_deleted_keycloak_groups": "Preserve Deleted Keycloak Groups"
+      "preserve_deleted_keycloak_groups": "Preserve Deleted Keycloak Groups",
+      "auth_not_set": "Please set up and enable OIDC or SAML with Keycloak in security settings before sync"
     },
     "auto_generate_user_on_sync": "Auto Generate User on Sync",
     "description_mapper_detail": "Attribute to map as group description. Description can be edited after sync. However, when a mapper is set, the edited value can possibly be overwritten by the next sync."

apps/app/public/static/locales/ja_JP/admin.json

@@ -1070,8 +1070,10 @@
     "execute_sync": "同期実行",
     "sync": "同期",
     "invalid_sync_settings": "同期設定に誤りがあります",
+    "update_sync_settings_failed": "同期設定の更新が失敗しました",
     "description_form_detail": "同期設定で「説明」の mapper が設定されている場合、編集内容は再同期によって上書きされることに注意してください",
     "only_description_edit_allowed": "外部グループは説明の編集のみが可能です",
+    "sync_succeeded": "同期に成功しました",
     "ldap": {
       "group_sync_settings": "LDAP グループ同期設定",
       "group_search_base_DN": "グループ検索ベース DN",
@@ -1085,7 +1087,6 @@
       "preserve_deleted_ldap_groups": "LDAP から削除されたグループを GROWI に残す",
       "name_mapper_detail": "グループの「名前」として読み込む属性",
       "updated_group_sync_settings": "LDAP グループ同期設定を更新しました",
-      "sync_succeeded": "同期に成功しました",
       "password": "パスワード",
       "password_detail": "認証設定がユーザ Bind のため、ログイン時のパスワードの入力が必要となります",
       "circular_reference": "LDAP グループの木構造に循環参照が行われている可能性があるため、同期に失敗しました",
@@ -1096,16 +1097,17 @@
       "group_sync_settings": "Keycloak グループ同期設定",
       "host": "Host",
       "host_detail": "Keycloak ホスト URL",
-      "realm": "Realm",
-      "realm_detail": "同期対象のグループがある realm",
-      "group_sync_client_name": "グループ同期に使う Client 名",
-      "group_sync_client_name_detail": "Master realm にある、グループ同期に使う Client 名",
-      "group_sync_client_id": "グループ同期に使う Client の ID",
-      "group_sync_client_id_detail": "Master realm にある、グループ同期に使う Client ID",
-      "group_sync_client_secret": "グループ同期に使う Client の Secret",
-      "group_sync_client_secret_detail": "Master realm にある、グループ同期に使う Client の secret",
+      "group_realm": "Group Realm",
+      "group_realm_detail": "同期対象のグループがある realm",
+      "group_sync_client_realm": "Admin API にリクエストするための client がある realm",
+      "group_sync_client_realm_detail": "Keycloak admin API にリクエストするための認証に使う client がある realm",
+      "group_sync_client_id": "Client の ID",
+      "group_sync_client_id_detail": "Keycloak admin API にリクエストするための認証に使う client の Client ID",
+      "group_sync_client_secret": "Client の Secret",
+      "group_sync_client_secret_detail": "Keycloak admin API にリクエストするための認証に使う client の secret",
       "updated_group_sync_settings": "Keycloak グループ同期設定を更新しました",
-      "preserve_deleted_keycloak_groups": "Keycloak から削除されたグループを GROWI に残す"
+      "preserve_deleted_keycloak_groups": "Keycloak から削除されたグループを GROWI に残す",
+      "auth_not_set": "同期実行前に、セキュリティ設定で Keycloak を使った OIDC または SAML 認証を設定し、有効にしてください"
     },
     "auto_generate_user_on_sync": "作成されていない GROWI アカウントを自動生成する",
     "description_mapper_detail": "グループの「説明」として読み込む属性。「説明」は同期後に編集可能です。ただし、mapper が設定されている場合、編集内容は再同期によって上書きされます。"

apps/app/public/static/locales/zh_CN/admin.json

@@ -1069,8 +1069,10 @@
     "execute_sync": "Execute Sync",
     "sync": "Sync",
     "invalid_sync_settings": "Invalid sync settings",
+    "update_sync_settings_failed": "Failed to update sync settings",
     "description_form_detail": "Please note that edited value will be overwritten on next sync if description mapper is set in sync settings",
     "only_description_edit_allowed": "Only description can be edited for external user groups",
+    "sync_succeeded": "Sync succeeded",
     "ldap": {
       "group_sync_settings": "LDAP Group Sync Settings",
       "group_search_base_DN": "Group Search Base DN",
@@ -1084,7 +1086,6 @@
       "preserve_deleted_ldap_groups": "Preserve Deleted LDAP Groups",
       "name_mapper_detail": "Attribute to map as group name",
       "updated_group_sync_settings": "Updated LDAP group sync settings",
-      "sync_succeeded": "Sync succeeded",
       "password": "Password",
       "password_detail": "Login password is necessary because Bind type is set to User Bind",
       "circular_reference": "Sync failed because there is a possible circular reference in your LDAP group tree structure",
@@ -1095,16 +1096,17 @@
       "group_sync_settings": "Keycloak Group Sync Settings",
       "host": "Host",
       "host_detail": "Keycloak host URL",
-      "realm": "Realm",
-      "realm_detail": "Realm that contains the groups to sync",
-      "group_sync_client_name": "Group Sync Client Name",
-      "group_sync_client_name_detail": "Name of the client in the master realm to use for group sync",
-      "group_sync_client_id": "Group Sync Client ID",
-      "group_sync_client_id_detail": "ID of the client in the master realm to use for group sync",
-      "group_sync_client_secret": "Group Sync Client Secret",
-      "group_sync_client_secret_detail": "Secret of the client in the master realm to use for group sync",
+      "group_realm": "Group Realm",
+      "group_realm_detail": "Realm that contains the groups to sync",
+      "group_sync_client_realm": "Realm of client used to request to Admin API",
+      "group_sync_client_realm_detail": "Realm that contains the client used to authenticate to request to Keycloak admin API",
+      "group_sync_client_id": "Client ID",
+      "group_sync_client_id_detail": "Id of the client used to authenticate to request to Keycloak admin API",
+      "group_sync_client_secret": "Client Secret",
+      "group_sync_client_secret_detail": "Id of the secret used to authenticate to request to Keycloak admin API",
       "updated_group_sync_settings": "Updated Keycloak group sync settings",
-      "preserve_deleted_keycloak_groups": "Preserve Deleted Keycloak Groups"
+      "preserve_deleted_keycloak_groups": "Preserve Deleted Keycloak Groups",
+      "auth_not_set": "Please set up and enable OIDC or SAML with Keycloak in security settings before sync"
     },
     "auto_generate_user_on_sync": "Auto Generate User on Sync",
     "description_mapper_detail": "Attribute to map as group description. Description can be edited after sync. However, when a mapper is set, the edited value can possibly be overwritten by the next sync."

apps/app/src/features/external-user-group/client/components/ExternalUserGroup/KeycloakGroupManagement.tsx

@@ -1,12 +1,36 @@
-import { FC } from 'react';
+import { FC, useCallback } from 'react';
+
+import { useTranslation } from 'react-i18next';
+
+import { apiv3Put } from '~/client/util/apiv3-client';
+import { toastError, toastSuccess } from '~/client/util/toastr';
 
 import { KeycloakGroupSyncSettingsForm } from './KeycloakGroupSyncSettingsForm';
 
 export const KeycloakGroupManagement: FC = () => {
+  const { t } = useTranslation('admin');
+
+  const onSyncBtnClick = useCallback(async(e) => {
+    e.preventDefault();
+    try {
+      await apiv3Put('/external-user-groups/keycloak/sync');
+      toastSuccess(t('external_user_group.sync_succeeded'));
+    }
+    catch (errs) {
+      toastError(t(errs[0]?.code));
+    }
+  }, [t]);
 
   return (
     <>
       <KeycloakGroupSyncSettingsForm />
+      <h3 className="border-bottom mb-3">{t('external_user_group.execute_sync')}</h3>
+      <form onSubmit={onSyncBtnClick}>
+        <div className="row">
+          <div className="col-md-3"></div>
+          <div className="col-md-6"><button className="btn btn-primary" type="submit">{t('external_user_group.sync')}</button></div>
+        </div>
+      </form>
     </>
   );
 };

apps/app/src/features/external-user-group/client/components/ExternalUserGroup/KeycloakGroupSyncSettingsForm.tsx

@@ -16,8 +16,8 @@ export const KeycloakGroupSyncSettingsForm: FC = () => {
 
   const [formValues, setFormValues] = useState<KeycloakGroupSyncSettings>({
     keycloakHost: '',
-    keycloakRealm: '',
-    keycloakGroupSyncClientName: '',
+    keycloakGroupRealm: '',
+    keycloakGroupSyncClientRealm: '',
     keycloakGroupSyncClientID: '',
     keycloakGroupSyncClientSecret: '',
     autoGenerateUserOnKeycloakGroupSync: false,
@@ -68,43 +68,43 @@ export const KeycloakGroupSyncSettingsForm: FC = () => {
           </div>
         </div>
         <div className="row form-group">
-          <label htmlFor="keycloakRealm" className="text-left text-md-right col-md-3 col-form-label">
-            {t('external_user_group.keycloak.realm')}
+          <label htmlFor="keycloakGroupRealm" className="text-left text-md-right col-md-3 col-form-label">
+            {t('external_user_group.keycloak.group_realm')}
           </label>
           <div className="col-md-6">
             <input
               className="form-control"
               required
               type="text"
-              name="keycloakRealm"
-              id="keycloakRealm"
-              value={formValues.keycloakRealm}
-              onChange={e => setFormValues({ ...formValues, keycloakRealm: e.target.value })}
+              name="keycloakGroupRealm"
+              id="keycloakGroupRealm"
+              value={formValues.keycloakGroupRealm}
+              onChange={e => setFormValues({ ...formValues, keycloakGroupRealm: e.target.value })}
             />
             <p className="form-text text-muted">
               <small>
-                {t('external_user_group.keycloak.realm_detail')} <br />
+                {t('external_user_group.keycloak.group_realm_detail')} <br />
               </small>
             </p>
           </div>
         </div>
         <div className="row form-group">
-          <label htmlFor="keycloakGroupSyncClientName" className="text-left text-md-right col-md-3 col-form-label">
-            {t('external_user_group.keycloak.group_sync_client_name')}
+          <label htmlFor="keycloakGroupSyncClientRealm" className="text-left text-md-right col-md-3 col-form-label">
+            {t('external_user_group.keycloak.group_sync_client_realm')}
           </label>
           <div className="col-md-6">
             <input
               className="form-control"
               required
               type="text"
-              name="keycloakGroupSyncClientName"
-              id="keycloakGroupSyncClientName"
-              value={formValues.keycloakGroupSyncClientName}
-              onChange={e => setFormValues({ ...formValues, keycloakGroupSyncClientName: e.target.value })}
+              name="keycloakGroupSyncClientRealm"
+              id="keycloakGroupSyncClientRealm"
+              value={formValues.keycloakGroupSyncClientRealm}
+              onChange={e => setFormValues({ ...formValues, keycloakGroupSyncClientRealm: e.target.value })}
             />
             <p className="form-text text-muted">
               <small>
-                {t('external_user_group.keycloak.group_sync_client_name_detail')} <br />
+                {t('external_user_group.keycloak.group_sync_client_realm_detail')} <br />
               </small>
             </p>
           </div>

apps/app/src/features/external-user-group/client/components/ExternalUserGroup/LdapGroupManagement.tsx

@@ -37,7 +37,7 @@ export const LdapGroupManagement: FC = () => {
       else {
         await apiv3Put('/external-user-groups/ldap/sync');
       }
-      toastSuccess(t('external_user_group.ldap.sync_succeeded'));
+      toastSuccess(t('external_user_group.sync_succeeded'));
     }
     catch (errs) {
       toastError(t(errs[0]?.message));

apps/app/src/features/external-user-group/client/components/ExternalUserGroup/LdapGroupSyncSettingsForm.tsx

@@ -38,7 +38,7 @@ export const LdapGroupSyncSettingsForm: FC = () => {
       toastSuccess(t('external_user_group.ldap.updated_group_sync_settings'));
     }
     catch (errs) {
-      toastError(t(errs[0]?.message));
+      toastError(t(errs[0]?.code));
     }
   }, [formValues, t]);
 

apps/app/src/features/external-user-group/interfaces/external-user-group.ts

@@ -3,7 +3,7 @@ import type {
 } from '@growi/core';
 
 
-export const ExternalGroupProviderType = { ldap: 'ldap' } as const;
+export const ExternalGroupProviderType = { ldap: 'ldap', keycloak: 'keycloak' } as const;
 export type ExternalGroupProviderType = typeof ExternalGroupProviderType[keyof typeof ExternalGroupProviderType];
 
 export interface IExternalUserGroup extends Omit<IUserGroup, 'parent'> {
@@ -36,8 +36,8 @@ export interface LdapGroupSyncSettings {
 
 export interface KeycloakGroupSyncSettings {
   keycloakHost: string
-  keycloakRealm: string
-  keycloakGroupSyncClientName: string
+  keycloakGroupRealm: string
+  keycloakGroupSyncClientRealm: string
   keycloakGroupSyncClientID: string
   keycloakGroupSyncClientSecret: string
   autoGenerateUserOnKeycloakGroupSync: boolean

apps/app/src/features/external-user-group/server/routes/apiv3/external-user-group.ts

@@ -17,6 +17,7 @@ import { configManager } from '~/server/service/config-manager';
 import UserGroupService from '~/server/service/user-group';
 import loggerFactory from '~/utils/logger';
 
+import KeycloakUserGroupSyncService from '../../service/keycloak-user-group-sync';
 import LdapUserGroupSyncService from '../../service/ldap-user-group-sync';
 
 const logger = loggerFactory('growi:routes:apiv3:external-user-group');
@@ -47,8 +48,8 @@ module.exports = (crowi: Crowi): Router => {
     ],
     keycloakSyncSettings: [
       body('keycloakHost').exists({ checkFalsy: true }).isString(),
-      body('keycloakRealm').exists({ checkFalsy: true }).isString(),
-      body('keycloakGroupSyncClientName').exists({ checkFalsy: true }).isString(),
+      body('keycloakGroupRealm').exists({ checkFalsy: true }).isString(),
+      body('keycloakGroupSyncClientRealm').exists({ checkFalsy: true }).isString(),
       body('keycloakGroupSyncClientID').exists({ checkFalsy: true }).isString(),
       body('keycloakGroupSyncClientSecret').exists({ checkFalsy: true }).isString(),
       body('autoGenerateUserOnKeycloakGroupSync').exists().isBoolean(),
@@ -225,8 +226,8 @@ module.exports = (crowi: Crowi): Router => {
   router.get('/keycloak/sync-settings', loginRequiredStrictly, adminRequired, (req: AuthorizedRequest, res: ApiV3Response) => {
     const settings = {
       keycloakHost: configManager?.getConfig('crowi', 'external-user-group:keycloak:host'),
-      keycloakRealm: configManager?.getConfig('crowi', 'external-user-group:keycloak:realm'),
-      keycloakGroupSyncClientName: configManager?.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientName'),
+      keycloakGroupRealm: configManager?.getConfig('crowi', 'external-user-group:keycloak:groupRealm'),
+      keycloakGroupSyncClientRealm: configManager?.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientRealm'),
       keycloakGroupSyncClientID: configManager?.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientID'),
       keycloakGroupSyncClientSecret: configManager?.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientSecret'),
       autoGenerateUserOnKeycloakGroupSync: configManager?.getConfig('crowi', 'external-user-group:keycloak:autoGenerateUserOnGroupSync'),
@@ -240,7 +241,9 @@ module.exports = (crowi: Crowi): Router => {
   router.put('/ldap/sync-settings', loginRequiredStrictly, adminRequired, validators.ldapSyncSettings, async(req: AuthorizedRequest, res: ApiV3Response) => {
     const errors = validationResult(req);
     if (!errors.isEmpty()) {
-      return res.apiv3Err('external_user_group.invalid_sync_settings', 400);
+      return res.apiv3Err(
+        new ErrorV3('Invalid sync settings', 'external_user_group.invalid_sync_settings'), 400,
+      );
     }
 
     const params = {
@@ -265,7 +268,9 @@ module.exports = (crowi: Crowi): Router => {
     }
     catch (err) {
       logger.error(err);
-      return res.apiv3Err(err, 500);
+      return res.apiv3Err(
+        new ErrorV3('Sync settings update failed', 'external_user_group.update_sync_settings_failed'), 500,
+      );
     }
   });
 
@@ -273,13 +278,15 @@ module.exports = (crowi: Crowi): Router => {
     async(req: AuthorizedRequest, res: ApiV3Response) => {
       const errors = validationResult(req);
       if (!errors.isEmpty()) {
-        return res.apiv3Err('external_user_group.invalid_sync_settings', 400);
+        return res.apiv3Err(
+          new ErrorV3('Invalid sync settings', 'external_user_group.invalid_sync_settings'), 400,
+        );
       }
 
       const params = {
         'external-user-group:keycloak:host': req.body.keycloakHost,
-        'external-user-group:keycloak:realm': req.body.keycloakRealm,
-        'external-user-group:keycloak:groupSyncClientName': req.body.keycloakGroupSyncClientName,
+        'external-user-group:keycloak:groupRealm': req.body.keycloakGroupRealm,
+        'external-user-group:keycloak:groupSyncClientRealm': req.body.keycloakGroupSyncClientRealm,
         'external-user-group:keycloak:groupSyncClientID': req.body.keycloakGroupSyncClientID,
         'external-user-group:keycloak:groupSyncClientSecret': req.body.keycloakGroupSyncClientSecret,
         'external-user-group:keycloak:autoGenerateUserOnGroupSync': req.body.autoGenerateUserOnKeycloakGroupSync,
@@ -293,7 +300,9 @@ module.exports = (crowi: Crowi): Router => {
       }
       catch (err) {
         logger.error(err);
-        return res.apiv3Err(err, 500);
+        return res.apiv3Err(
+          new ErrorV3('Sync settings update failed', 'external_user_group.update_sync_settings_failed'), 500,
+        );
       }
     });
 
@@ -310,6 +319,49 @@ module.exports = (crowi: Crowi): Router => {
     return res.apiv3({}, 204);
   });
 
+  router.put('/keycloak/sync', loginRequiredStrictly, adminRequired, async(req: AuthorizedRequest, res: ApiV3Response) => {
+    const getAuthProviderType = () => {
+      const kcHost = configManager?.getConfig('crowi', 'external-user-group:keycloak:host');
+      const kcGroupRealm = configManager?.getConfig('crowi', 'external-user-group:keycloak:groupRealm');
+
+      // starts with kcHost, contains kcGroupRealm in path
+      // see: https://regex101.com/r/3ihDmf/1
+      const regex = new RegExp(`^${kcHost}/.*/${kcGroupRealm}(/|$).*`);
+
+      const isOidcEnabled = configManager.getConfig('crowi', 'security:passport-oidc:isEnabled');
+      const oidcIssuerHost = configManager.getConfig('crowi', 'security:passport-oidc:issuerHost');
+
+      if (isOidcEnabled && regex.test(oidcIssuerHost)) return 'oidc';
+
+      const isSamlEnabled = configManager.getConfig('crowi', 'security:passport-saml:isEnabled');
+      const samlEntryPoint = configManager.getConfig('crowi', 'security:passport-saml:entryPoint');
+
+      if (isSamlEnabled && regex.test(samlEntryPoint)) return 'saml';
+
+      return null;
+    };
+
+    const authProviderType = getAuthProviderType();
+    if (authProviderType == null) {
+      return res.apiv3Err(
+        new ErrorV3('Authentication using keycloak is not set', 'external_user_group.keycloak.auth_not_set'), 500,
+      );
+    }
+
+    try {
+      const keycloakUserGroupSyncService = new KeycloakUserGroupSyncService(authProviderType);
+      await keycloakUserGroupSyncService.syncExternalUserGroups();
+    }
+    catch (err) {
+      logger.error(err);
+      return res.apiv3Err(
+        new ErrorV3('Sync failed', 'external_user_group.sync_failed'), 500,
+      );
+    }
+
+    return res.apiv3({}, 204);
+  });
+
   return router;
 
 };

apps/app/src/features/external-user-group/server/service/keycloak-user-group-sync.ts

@@ -0,0 +1,123 @@
+import { GroupRepresentation, KeycloakAdminClient, UserRepresentation } from '@s3pweb/keycloak-admin-client-cjs';
+
+import { configManager } from '~/server/service/config-manager';
+import { batchProcessPromiseAll } from '~/utils/promise';
+
+import { ExternalGroupProviderType, ExternalUserGroupTreeNode, ExternalUserInfo } from '../../interfaces/external-user-group';
+
+import ExternalUserGroupSyncService from './external-user-group-sync';
+
+// When d = max depth of group trees
+// Max space complexity of generateExternalUserGroupTrees will be:
+// O(TREES_BATCH_SIZE * d)
+const TREES_BATCH_SIZE = 10;
+
+class KeycloakUserGroupSyncService extends ExternalUserGroupSyncService {
+
+  kcAdminClient: KeycloakAdminClient;
+
+  realm: string; // realm that contains the groups
+
+  groupDescriptionAttribute: string; // attribute to map to group description
+
+  constructor(authProviderType: string) {
+    const kcHost = configManager?.getConfig('crowi', 'external-user-group:keycloak:host');
+    const kcGroupRealm = configManager?.getConfig('crowi', 'external-user-group:keycloak:groupRealm');
+    const kcGroupSyncClientRealm = configManager?.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientRealm');
+    const kcGroupDescriptionAttribute = configManager?.getConfig('crowi', 'external-user-group:keycloak:groupDescriptionAttribute');
+
+    super(ExternalGroupProviderType.keycloak, authProviderType);
+    this.kcAdminClient = new KeycloakAdminClient({ baseUrl: kcHost, realmName: kcGroupSyncClientRealm });
+    this.realm = kcGroupRealm;
+    this.groupDescriptionAttribute = kcGroupDescriptionAttribute;
+  }
+
+  async generateExternalUserGroupTrees(): Promise<ExternalUserGroupTreeNode[]> {
+    await this.auth();
+
+    // Type is 'GroupRepresentation', but 'find' does not return 'attributes' field. Hence, attribute for description is not present.
+    const rootGroups = await this.kcAdminClient.groups.find({ realm: this.realm });
+
+    return (await batchProcessPromiseAll(rootGroups, TREES_BATCH_SIZE, group => this.groupRepresentationToTreeNode(group)))
+      .filter((node): node is NonNullable<ExternalUserGroupTreeNode> => node != null);
+  }
+
+  /**
+   * Authenticate to group sync client using client credentials grant type
+   */
+  private async auth(): Promise<void> {
+    const kcGroupSyncClientID: string = configManager.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientID');
+    const kcGroupSyncClientSecret: string = configManager.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientSecret');
+
+    await this.kcAdminClient.auth({
+      grantType: 'client_credentials',
+      clientId: kcGroupSyncClientID,
+      clientSecret: kcGroupSyncClientSecret,
+    });
+  }
+
+  /**
+   * Convert GroupRepresentation response returned from Keycloak to ExternalUserGroupTreeNode
+   */
+  private async groupRepresentationToTreeNode(group: GroupRepresentation): Promise<ExternalUserGroupTreeNode | null> {
+    if (group.id == null || group.name == null) return null;
+
+    const userRepresentations = await this.kcAdminClient.groups.listMembers({ id: group.id, realm: this.realm });
+
+    const userInfos = userRepresentations != null ? this.userRepresentationsToExternalUserInfos(userRepresentations) : [];
+    const description = await this.getGroupDescription(group.id) || undefined;
+    const childGroups = group.subGroups;
+
+    const childGroupNodesWithNull: (ExternalUserGroupTreeNode | null)[] = [];
+    if (childGroups != null) {
+      // Do not use Promise.all, because the number of promises processed can
+      // exponentially grow when group tree is enormous
+      for await (const childGroup of childGroups) {
+        childGroupNodesWithNull.push(await this.groupRepresentationToTreeNode(childGroup));
+      }
+    }
+    const childGroupNodes: ExternalUserGroupTreeNode[] = childGroupNodesWithNull
+      .filter((node): node is NonNullable<ExternalUserGroupTreeNode> => node != null);
+
+    return {
+      id: group.id,
+      userInfos,
+      childGroupNodes,
+      name: group.name,
+      description,
+    };
+  }
+
+  /**
+   * Fetch group detail from Keycloak and return group description
+   */
+  private async getGroupDescription(groupId: string): Promise<string | null> {
+    if (this.groupDescriptionAttribute == null) return null;
+
+    const groupDetail = await this.kcAdminClient.groups.findOne({ id: groupId, realm: this.realm });
+
+    const description = groupDetail?.attributes?.[this.groupDescriptionAttribute]?.[0];
+    return typeof description === 'string' ? description : null;
+  }
+
+  /**
+   * Convert UserRepresentation array response returned from Keycloak to ExternalUserInfo
+   */
+  private userRepresentationsToExternalUserInfos(userRepresentations: UserRepresentation[]): ExternalUserInfo[] {
+    const externalUserGroupsWithNull: (ExternalUserInfo | null)[] = userRepresentations.map((userRepresentation) => {
+      if (userRepresentation.id != null && userRepresentation.username != null) {
+        return {
+          id: userRepresentation.id,
+          username: userRepresentation.username,
+          email: userRepresentation.email,
+        };
+      }
+      return null;
+    });
+
+    return externalUserGroupsWithNull.filter((node): node is NonNullable<ExternalUserInfo> => node != null);
+  }
+
+}
+
+export default KeycloakUserGroupSyncService;

apps/app/src/features/external-user-group/server/service/ldap-user-group-sync.ts

@@ -60,6 +60,9 @@ class LdapUserGroupSyncService extends ExternalUserGroupSyncService {
     };
 
     const convert = async(entry: SearchResultEntry, converted: string[]): Promise<ExternalUserGroupTreeNode | null> => {
+      const name = this.ldapService.getStringValFromSearchResultEntry(entry, groupNameAttribute);
+      if (name == null) return null;
+
       if (converted.includes(entry.objectName)) {
         throw Error('external_user_group.ldap.circular_reference');
       }
@@ -70,7 +73,6 @@ class LdapUserGroupSyncService extends ExternalUserGroupSyncService {
       const userInfos = (await batchProcessPromiseAll(userIds, USERS_BATCH_SIZE, (id) => {
         return this.getUserInfo(id);
       })).filter((info): info is NonNullable<ExternalUserInfo> => info != null);
-      const name = this.ldapService.getStringValFromSearchResultEntry(entry, groupNameAttribute);
       const description = this.ldapService.getStringValFromSearchResultEntry(entry, groupDescriptionAttribute);
       const childGroupDNs = getChildGroupDnsFromGroupEntry(entry);
 
@@ -84,13 +86,13 @@ class LdapUserGroupSyncService extends ExternalUserGroupSyncService {
       const childGroupNodes: ExternalUserGroupTreeNode[] = childGroupNodesWithNull
         .filter((node): node is NonNullable<ExternalUserGroupTreeNode> => node != null);
 
-      return name != null ? {
+      return {
         id: entry.objectName,
         userInfos,
         childGroupNodes,
         name,
         description,
-      } : null;
+      };
     };
 
     // all the DNs of groups that are not a root of a tree

yarn.lock

@@ -2965,6 +2965,16 @@
   resolved "https://registry.yarnpkg.com/@juggle/resize-observer/-/resize-observer-3.3.1.tgz#b50a781709c81e10701004214340f25475a171a0"
   integrity sha512-zMM9Ds+SawiUkakS7y94Ymqx+S0ORzpG3frZirN3l+UlXUmSUR7hF4wxCVqW+ei94JzV5kt0uXBcoOEAuiydrw==
 
+"@keycloak/keycloak-admin-client@22.0.1":
+  version "22.0.1"
+  resolved "https://registry.yarnpkg.com/@keycloak/keycloak-admin-client/-/keycloak-admin-client-22.0.1.tgz#2cb574c90d20e69a5b98fccce376291857070da6"
+  integrity sha512-/eKzNzT2hW/tRQd8/33dX1dfRU4xBsd3/30bL2OFF5+J+1UUmRYM2klYcFhdIkFX3P9/ptqH+vHpqCusdMcSCw==
+  dependencies:
+    camelize-ts "^3.0.0"
+    lodash-es "^4.17.21"
+    url-join "^5.0.0"
+    url-template "^3.1.0"
+
 "@khanacademy/simple-markdown@^0.8.6":
   version "0.8.6"
   resolved "https://registry.yarnpkg.com/@khanacademy/simple-markdown/-/simple-markdown-0.8.6.tgz#9c9aef1f5ce2ce60292d13849165965a57c26f25"
@@ -3489,6 +3499,13 @@
     colors "~1.2.1"
     string-argv "~0.3.1"
 
+"@s3pweb/keycloak-admin-client-cjs@^22.0.1":
+  version "22.0.1"
+  resolved "https://registry.yarnpkg.com/@s3pweb/keycloak-admin-client-cjs/-/keycloak-admin-client-cjs-22.0.1.tgz#65b2861a947a8fe9be34ff0b2932cb01652c05a8"
+  integrity sha512-F8zr13/rR3QcDzKEty541rXaubU6+Yn/5aMzmSy6in5TeUL3FLqF0QmuW3g1xrgABywcGopew2sEq0X3qJfRUw==
+  dependencies:
+    "@keycloak/keycloak-admin-client" "22.0.1"
+
 "@sematext/gc-stats@1.5.8":
   version "1.5.8"
   resolved "https://registry.yarnpkg.com/@sematext/gc-stats/-/gc-stats-1.5.8.tgz#73edb27bcbe0f3976041e2dc42cc86874128eeb9"
@@ -5674,6 +5691,11 @@ camelcase@^6.3.0:
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-6.3.0.tgz#5685b95eb209ac9c0c177467778c9c84df58ba9a"
   integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==
 
+camelize-ts@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/camelize-ts/-/camelize-ts-3.0.0.tgz#b9a7b4ff802464dc3d6475637a64a9742ad3db09"
+  integrity sha512-cgRwKKavoDKLTjO4FQTs3dRBePZp/2Y9Xpud0FhuCOTE86M2cniKN4CCXgRnsyXNMmQMifVHcv6SPaMtTx6ofQ==
+
 can-use-dom@^0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/can-use-dom/-/can-use-dom-0.1.0.tgz#22cc4a34a0abc43950f42c6411024a3f6366b45a"
@@ -16572,6 +16594,16 @@ url-join@^4.0.0:
   version "4.0.0"
   resolved "https://registry.yarnpkg.com/url-join/-/url-join-4.0.0.tgz#4d3340e807d3773bda9991f8305acdcc2a665d2a"
 
+url-join@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/url-join/-/url-join-5.0.0.tgz#c2f1e5cbd95fa91082a93b58a1f42fecb4bdbcf1"
+  integrity sha512-n2huDr9h9yzd6exQVnH/jU5mr+Pfx08LRXXZhkLLetAMESRj+anQsTAh940iMrIetKAmry9coFuZQ2jY8/p3WA==
+
+url-template@^3.1.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/url-template/-/url-template-3.1.0.tgz#d9be13d342ad31fcedc3c0bd21405fd141d02ff1"
+  integrity sha512-vB/eHWttzhN+NZzk9FcQB2h1cSEgb7zDYyvyxPhw02LYw7YqIzO+w1AqkcKvZ51gPH8o4+nyiWve/xuQqMdJZw==
+
 url-value-parser@2.2.0:
   version "2.2.0"
   resolved "https://registry.yarnpkg.com/url-value-parser/-/url-value-parser-2.2.0.tgz#f38ae8cd24604ec69bc219d66929ddbbd93a2b32"