Sākums Izpētīt Palīdzība
Pierakstīties
wiki
/
weseek__growi
spogulis no https://github.com/weseek/growi
2
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: e7835498d5
Atzari Tagi
weseek__growi
/
apps
/
app
/
src
/
features
/
external-user-group
/
server
/
service
/
keycloak-user-group-sync.ts

keycloak-user-group-sync.ts 6.6 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168 
  1. import KeycloakAdminClient from '@keycloak/keycloak-admin-client';
    2. 

  2. import GroupRepresentation from '@keycloak/keycloak-admin-client/lib/defs/groupRepresentation';
    3. 

  3. import UserRepresentation from '@keycloak/keycloak-admin-client/lib/defs/userRepresentation';
    4. 

  4. 

  5. import { configManager } from '~/server/service/config-manager';
    6. 

  6. import { S2sMessagingService } from '~/server/service/s2s-messaging/base';
    7. 

  7. import loggerFactory from '~/utils/logger';
    8. 

  8. import { batchProcessPromiseAll } from '~/utils/promise';
    9. 

  9. 

  10. import { ExternalGroupProviderType, ExternalUserGroupTreeNode, ExternalUserInfo } from '../../interfaces/external-user-group';
    11. 

  11. 

  12. import ExternalUserGroupSyncService from './external-user-group-sync';
    13. 

  13. 

  14. const logger = loggerFactory('growi:service:keycloak-user-group-sync-service');
    15. 

  15. 

  16. // When d = max depth of group trees
    17. 

  17. // Max space complexity of generateExternalUserGroupTrees will be:
    18. 

  18. // O(TREES_BATCH_SIZE * d)
    19. 

  19. const TREES_BATCH_SIZE = 10;
    20. 

  20. 

  21. export class KeycloakUserGroupSyncService extends ExternalUserGroupSyncService {
    22. 

  22. 

  23.   kcAdminClient: KeycloakAdminClient;
    24. 

  24. 

  25.   realm: string; // realm that contains the groups
    26. 

  26. 

  27.   groupDescriptionAttribute: string; // attribute to map to group description
    28. 

  28. 

  29.   isInitialized = false;
    30. 

  30. 

  31.   // eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
    32. 

  32.   constructor(s2sMessagingService: S2sMessagingService | null, socketIoService) {
    33. 

  33.     const kcHost = configManager?.getConfig('crowi', 'external-user-group:keycloak:host');
    34. 

  34.     const kcGroupRealm = configManager?.getConfig('crowi', 'external-user-group:keycloak:groupRealm');
    35. 

  35.     const kcGroupSyncClientRealm = configManager?.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientRealm');
    36. 

  36.     const kcGroupDescriptionAttribute = configManager?.getConfig('crowi', 'external-user-group:keycloak:groupDescriptionAttribute');
    37. 

  37. 

  38.     super(ExternalGroupProviderType.keycloak, s2sMessagingService, socketIoService);
    39. 

  39.     this.kcAdminClient = new KeycloakAdminClient({ baseUrl: kcHost, realmName: kcGroupSyncClientRealm });
    40. 

  40.     this.realm = kcGroupRealm;
    41. 

  41.     this.groupDescriptionAttribute = kcGroupDescriptionAttribute;
    42. 

  42.   }
    43. 

  43. 

  44.   init(authProviderType: 'oidc' | 'saml'): void {
    45. 

  45.     this.authProviderType = authProviderType;
    46. 

  46.     this.isInitialized = true;
    47. 

  47.   }
    48. 

  48. 

  49.   override syncExternalUserGroups(): Promise<void> {
    50. 

  50.     if (!this.isInitialized) {
    51. 

  51.       const msg = 'Service not initialized';
    52. 

  52.       logger.error(msg);
    53. 

  53.       throw new Error(msg);
    54. 

  54.     }
    55. 

  55.     return super.syncExternalUserGroups();
    56. 

  56.   }
    57. 

  57. 

  58.   override async generateExternalUserGroupTrees(): Promise<ExternalUserGroupTreeNode[]> {
    59. 

  59.     await this.auth();
    60. 

  60. 

  61.     // Type is 'GroupRepresentation', but 'find' does not return 'attributes' field. Hence, attribute for description is not present.
    62. 

  62.     logger.info('Get groups from keycloak server');
    63. 

  63.     const rootGroups = await this.kcAdminClient.groups.find({ realm: this.realm });
    64. 

  64. 

  65.     return (await batchProcessPromiseAll(rootGroups, TREES_BATCH_SIZE, group => this.groupRepresentationToTreeNode(group)))
    66. 

  66.       .filter((node): node is NonNullable<ExternalUserGroupTreeNode> => node != null);
    67. 

  67.   }
    68. 

  68. 

  69.   /**
    70. 

  70.    * Authenticate to group sync client using client credentials grant type
    71. 

  71.    */
    72. 

  72.   private async auth(): Promise<void> {
    73. 

  73.     const kcGroupSyncClientID: string = configManager.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientID');
    74. 

  74.     const kcGroupSyncClientSecret: string = configManager.getConfig('crowi', 'external-user-group:keycloak:groupSyncClientSecret');
    75. 

  75. 

  76.     await this.kcAdminClient.auth({
    77. 

  77.       grantType: 'client_credentials',
    78. 

  78.       clientId: kcGroupSyncClientID,
    79. 

  79.       clientSecret: kcGroupSyncClientSecret,
    80. 

  80.     });
    81. 

  81.   }
    82. 

  82. 

  83.   /**
    84. 

  84.    * Convert GroupRepresentation response returned from Keycloak to ExternalUserGroupTreeNode
    85. 

  85.    */
    86. 

  86.   private async groupRepresentationToTreeNode(group: GroupRepresentation): Promise<ExternalUserGroupTreeNode | null> {
    87. 

  87.     if (group.id == null || group.name == null) return null;
    88. 

  88. 

  89.     logger.info('Get users from keycloak server');
    90. 

  90.     const userRepresentations = await this.getMembers(group.id);
    91. 

  91. 

  92.     const userInfos = userRepresentations != null ? this.userRepresentationsToExternalUserInfos(userRepresentations) : [];
    93. 

  93.     const description = await this.getGroupDescription(group.id) || undefined;
    94. 

  94.     const childGroups = group.subGroups;
    95. 

  95. 

  96.     const childGroupNodesWithNull: (ExternalUserGroupTreeNode | null)[] = [];
    97. 

  97.     if (childGroups != null) {
    98. 

  98.       // Do not use Promise.all, because the number of promises processed can
    99. 

  99.       // exponentially grow when group tree is enormous
    100. 

  100.       for await (const childGroup of childGroups) {
    101. 

  101.         childGroupNodesWithNull.push(await this.groupRepresentationToTreeNode(childGroup));
    102. 

  102.       }
    103. 

  103.     }
    104. 

  104.     const childGroupNodes: ExternalUserGroupTreeNode[] = childGroupNodesWithNull
    105. 

  105.       .filter((node): node is NonNullable<ExternalUserGroupTreeNode> => node != null);
    106. 

  106. 

  107.     return {
    108. 

  108.       id: group.id,
    109. 

  109.       userInfos,
    110. 

  110.       childGroupNodes,
    111. 

  111.       name: group.name,
    112. 

  112.       description,
    113. 

  113.     };
    114. 

  114.   }
    115. 

  115. 

  116.   private async getMembers(groupId: string): Promise<UserRepresentation[]> {
    117. 

  117.     let allUsers: UserRepresentation[] = [];
    118. 

  118. 

  119.     const fetchUsersWithOffset = async(offset: number) => {
    120. 

  120.       await this.auth();
    121. 

  121.       const response = await this.kcAdminClient.groups.listMembers({
    122. 

  122.         id: groupId, realm: this.realm, first: offset,
    123. 

  123.       });
    124. 

  124. 

  125.       if (response != null && response.length > 0) {
    126. 

  126.         allUsers = allUsers.concat(response);
    127. 

  127.         return fetchUsersWithOffset(offset + response.length);
    128. 

  128.       }
    129. 

  129.     };
    130. 

  130. 

  131.     await fetchUsersWithOffset(0);
    132. 

  132. 

  133.     return allUsers;
    134. 

  134.   }
    135. 

  135. 

  136. 

  137.   /**
    138. 

  138.    * Fetch group detail from Keycloak and return group description
    139. 

  139.    */
    140. 

  140.   private async getGroupDescription(groupId: string): Promise<string | null> {
    141. 

  141.     if (this.groupDescriptionAttribute == null) return null;
    142. 

  142. 

  143.     await this.auth();
    144. 

  144.     const groupDetail = await this.kcAdminClient.groups.findOne({ id: groupId, realm: this.realm });
    145. 

  145. 

  146.     const description = groupDetail?.attributes?.[this.groupDescriptionAttribute]?.[0];
    147. 

  147.     return typeof description === 'string' ? description : null;
    148. 

  148.   }
    149. 

  149. 

  150.   /**
    151. 

  151.    * Convert UserRepresentation array response returned from Keycloak to ExternalUserInfo
    152. 

  152.    */
    153. 

  153.   private userRepresentationsToExternalUserInfos(userRepresentations: UserRepresentation[]): ExternalUserInfo[] {
    154. 

  154.     const externalUserGroupsWithNull: (ExternalUserInfo | null)[] = userRepresentations.map((userRepresentation) => {
    155. 

  155.       if (userRepresentation.id != null && userRepresentation.username != null) {
    156. 

  156.         return {
    157. 

  157.           id: userRepresentation.id,
    158. 

  158.           username: userRepresentation.username,
    159. 

  159.           email: userRepresentation.email,
    160. 

  160.         };
    161. 

  161.       }
    162. 

  162.       return null;
    163. 

  163.     });
    164. 

  164. 

  165.     return externalUserGroupsWithNull.filter((node): node is NonNullable<ExternalUserInfo> => node != null);
    166. 

  166.   }
    167. 

  167. 

  168. }
    169.