Commit 988f9eef authored by François Agneray's avatar François Agneray
Browse files

Refactor AdminMiddleware to RouteGuardMiddleware

parent fbbfbcae
Pipeline #4778 passed with stages
in 3 minutes and 8 seconds
......@@ -15,7 +15,7 @@ list:
@echo " shell > shell into php container"
@echo " phpunit > run php unit test suite"
@echo " phpcs > run php code sniffer test suite"
@echo " create-db > create a database for dev only"
@echo " create-db > create a database for dev only (need token_enabled=0)"
@echo " remove-pgdata > remove the metadata database"
@echo ""
......
......@@ -22,7 +22,11 @@ $app->group('', function (RouteCollectorProxy $group) {
$group->map([OPTIONS, GET, POST], '/database', App\Action\DatabaseListAction::class);
$group->map([OPTIONS, GET, PUT, DELETE], '/database/{id}', App\Action\DatabaseAction::class);
$group->map([OPTIONS, GET], '/database/{id}/table', App\Action\TableListAction::class);
})->add(new App\Middleware\AdminMiddleware($container->get(SETTINGS)['token'], false));
})->add(new App\Middleware\RouteGuardMiddleware(
boolval($container->get(SETTINGS)['token']['enabled']),
array(GET, POST, PUT, DELETE),
$container->get(SETTINGS)['token']['admin_role']
));
$app->group('', function (RouteCollectorProxy $group) {
$group->map([OPTIONS, GET, POST], '/project', App\Action\ProjectListAction::class);
......@@ -54,7 +58,11 @@ $app->group('', function (RouteCollectorProxy $group) {
'/dataset/{name}/attribute/{id}/distinct',
App\Action\AttributeDistinctAction::class
);
})->add(new App\Middleware\AdminMiddleware($container->get(SETTINGS)['token'], true));
})->add(new App\Middleware\RouteGuardMiddleware(
boolval($container->get(SETTINGS)['token']['enabled']),
array(POST, PUT, DELETE),
$container->get(SETTINGS)['token']['admin_role']
));
$app->get('/search/{dname}', App\Action\SearchAction::class);
$app->get('/download-file/{dname}/[{fpath:.*}]', App\Action\DownloadFileAction::class);
......@@ -78,6 +78,7 @@
}
],
"client": {
"anis-server": [],
"realm-management": [
{
"id": "28356123-8757-4c1e-824a-d6198b6f514a",
......@@ -115,15 +116,6 @@
"containerId": "4c838d6e-2a85-43b2-98ef-31baa9abc751",
"attributes": {}
},
{
"id": "140214b4-f080-445a-be99-143c37ae7265",
"name": "view-authorization",
"description": "${role_view-authorization}",
"composite": false,
"clientRole": true,
"containerId": "4c838d6e-2a85-43b2-98ef-31baa9abc751",
"attributes": {}
},
{
"id": "1433f541-7313-42ad-944a-1ad3a013a16e",
"name": "manage-events",
......@@ -134,9 +126,9 @@
"attributes": {}
},
{
"id": "a6b090c3-8d74-4b5a-9ee3-0af022ec42c8",
"name": "view-events",
"description": "${role_view-events}",
"id": "140214b4-f080-445a-be99-143c37ae7265",
"name": "view-authorization",
"description": "${role_view-authorization}",
"composite": false,
"clientRole": true,
"containerId": "4c838d6e-2a85-43b2-98ef-31baa9abc751",
......@@ -176,26 +168,19 @@
"attributes": {}
},
{
"id": "0f8574cf-9446-402e-a796-c2bfeed6972c",
"name": "view-identity-providers",
"description": "${role_view-identity-providers}",
"id": "a6b090c3-8d74-4b5a-9ee3-0af022ec42c8",
"name": "view-events",
"description": "${role_view-events}",
"composite": false,
"clientRole": true,
"containerId": "4c838d6e-2a85-43b2-98ef-31baa9abc751",
"attributes": {}
},
{
"id": "516fc6e2-735f-4cb5-bf78-e5a2d861dcf2",
"name": "view-clients",
"description": "${role_view-clients}",
"composite": true,
"composites": {
"client": {
"realm-management": [
"query-clients"
]
}
},
"id": "0f8574cf-9446-402e-a796-c2bfeed6972c",
"name": "view-identity-providers",
"description": "${role_view-identity-providers}",
"composite": false,
"clientRole": true,
"containerId": "4c838d6e-2a85-43b2-98ef-31baa9abc751",
"attributes": {}
......@@ -219,10 +204,17 @@
"attributes": {}
},
{
"id": "c5ab0512-757d-4d62-a51d-059bd6196716",
"name": "manage-users",
"description": "${role_manage-users}",
"composite": false,
"id": "516fc6e2-735f-4cb5-bf78-e5a2d861dcf2",
"name": "view-clients",
"description": "${role_view-clients}",
"composite": true,
"composites": {
"client": {
"realm-management": [
"query-clients"
]
}
},
"clientRole": true,
"containerId": "4c838d6e-2a85-43b2-98ef-31baa9abc751",
"attributes": {}
......@@ -236,6 +228,15 @@
"containerId": "4c838d6e-2a85-43b2-98ef-31baa9abc751",
"attributes": {}
},
{
"id": "c5ab0512-757d-4d62-a51d-059bd6196716",
"name": "manage-users",
"description": "${role_manage-users}",
"composite": false,
"clientRole": true,
"containerId": "4c838d6e-2a85-43b2-98ef-31baa9abc751",
"attributes": {}
},
{
"id": "8276874f-f8e4-47c9-8a80-f2a11c893637",
"name": "query-groups",
......@@ -332,6 +333,15 @@
"containerId": "01ca96ce-f6f9-4309-924c-9a3ec0402606",
"attributes": {}
},
{
"id": "787a3237-0e39-4747-b555-ef20f8a2f32c",
"name": "delete-account",
"description": "${role_delete-account}",
"composite": false,
"clientRole": true,
"containerId": "01ca96ce-f6f9-4309-924c-9a3ec0402606",
"attributes": {}
},
{
"id": "d79b6d3f-246e-4275-ac7b-0883f295522b",
"name": "view-applications",
......@@ -380,8 +390,8 @@
},
"groups": [],
"defaultRoles": [
"offline_access",
"uma_authorization",
"offline_access",
"anis_user"
],
"requiredCredentials": [
......@@ -421,6 +431,33 @@
"webAuthnPolicyPasswordlessCreateTimeout": 0,
"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyPasswordlessAcceptableAaguids": [],
"users": [
{
"id": "9bc69ea7-b714-457e-b143-7d21d5170ea4",
"createdTimestamp": 1617738228417,
"username": "service-account-anis-server",
"enabled": true,
"totp": false,
"emailVerified": false,
"serviceAccountClientId": "anis-server",
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"anis_admin",
"uma_authorization",
"offline_access",
"anis_user"
],
"clientRoles": {
"account": [
"view-profile",
"manage-account"
]
},
"notBefore": 0,
"groups": []
}
],
"scopeMappings": [
{
"clientScope": "offline_access",
......@@ -669,6 +706,111 @@
"microprofile-jwt"
]
},
{
"id": "8a2e691f-81c1-4e2c-98c6-1f9044518f64",
"clientId": "anis-server",
"rootUrl": "http://localhost:8080",
"adminUrl": "http://localhost:8080",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"http://localhost:8080/*"
],
"webOrigins": [
"http://localhost:8080"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"id": "d11ec758-1406-4219-bb44-f4f73b3db092",
"name": "Client ID",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientId",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientId",
"jsonType.label": "String"
}
},
{
"id": "46d1e274-68f5-4d98-9850-2b715bc5bee5",
"name": "Client IP Address",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientAddress",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientAddress",
"jsonType.label": "String"
}
},
{
"id": "c7579bbc-2224-4a13-8d9f-ea9aa21c994c",
"name": "Client Host",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientHost",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientHost",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": [
"web-origins",
"role_list",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
},
{
"id": "c9174c37-a8d0-4028-a512-2cf5a47cb20e",
"clientId": "broker",
......@@ -1287,6 +1429,7 @@
"consentRequired": false,
"config": {
"multivalued": "true",
"userinfo.token.claim": "true",
"user.attribute": "foo",
"id.token.claim": "true",
"access.token.claim": "true",
......@@ -1333,6 +1476,8 @@
"enabledEventTypes": [],
"adminEventsEnabled": false,
"adminEventsDetailsEnabled": false,
"identityProviders": [],
"identityProviderMappers": [],
"components": {
"org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
{
......@@ -1351,14 +1496,14 @@
"subComponents": {},
"config": {
"allowed-protocol-mapper-types": [
"oidc-sha256-pairwise-sub-mapper",
"oidc-full-name-mapper",
"oidc-usermodel-attribute-mapper",
"oidc-usermodel-property-mapper",
"oidc-address-mapper",
"saml-user-attribute-mapper",
"oidc-full-name-mapper",
"oidc-sha256-pairwise-sub-mapper",
"saml-role-list-mapper",
"saml-user-property-mapper",
"oidc-usermodel-attribute-mapper"
"saml-user-attribute-mapper",
"saml-user-property-mapper"
]
}
},
......@@ -1417,14 +1562,14 @@
"subComponents": {},
"config": {
"allowed-protocol-mapper-types": [
"oidc-usermodel-property-mapper",
"saml-user-attribute-mapper",
"oidc-sha256-pairwise-sub-mapper",
"saml-role-list-mapper",
"oidc-full-name-mapper",
"oidc-address-mapper",
"oidc-sha256-pairwise-sub-mapper",
"oidc-usermodel-property-mapper",
"saml-user-property-mapper",
"oidc-usermodel-attribute-mapper"
"oidc-usermodel-attribute-mapper",
"saml-role-list-mapper",
"oidc-full-name-mapper"
]
}
},
......@@ -1484,7 +1629,7 @@
"supportedLocales": [],
"authenticationFlows": [
{
"id": "2056fee5-f4f6-4512-bed4-92fd8c19b711",
"id": "f27dda1c-4747-4bb8-aa1c-5371069dd35e",
"alias": "Account verification options",
"description": "Method with which to verity the existing account",
"providerId": "basic-flow",
......@@ -1508,7 +1653,7 @@
]
},
{
"id": "879aa7bd-f55a-4cdc-afe6-74727906f2c0",
"id": "146480fe-8a17-4612-ad24-6411839251cc",
"alias": "Authentication Options",
"description": "Authentication options.",
"providerId": "basic-flow",
......@@ -1539,7 +1684,7 @@
]
},
{
"id": "be7d7118-c0ba-4b32-96ce-ea0d94d3316b",
"id": "5b117ee3-8c24-4769-a4f4-7dfdaefd1ce3",
"alias": "Browser - Conditional OTP",
"description": "Flow to determine if the OTP is required for the authentication",
"providerId": "basic-flow",
......@@ -1563,7 +1708,7 @@
]
},
{
"id": "d4dbb1a6-8ba5-4337-bcac-fb9ad1fd816b",
"id": "cd6696ba-069f-4ef7-b8c2-620c8f441a6e",
"alias": "Direct Grant - Conditional OTP",
"description": "Flow to determine if the OTP is required for the authentication",
"providerId": "basic-flow",
......@@ -1587,7 +1732,7 @@
]
},
{
"id": "0c09fea7-b7ad-412f-8c7c-c82df6213e8e",
"id": "d4e367b4-89e6-4f54-9932-809f131d97f2",
"alias": "First broker login - Conditional OTP",
"description": "Flow to determine if the OTP is required for the authentication",
"providerId": "basic-flow",
......@@ -1611,7 +1756,7 @@
]
},
{
"id": "fefc340c-c0ab-4302-9eea-935765ae985a",
"id": "9dd46626-13bc-4b77-9e5e-51578165daa2",
"alias": "Handle Existing Account",
"description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
"providerId": "basic-flow",
......@@ -1635,7 +1780,7 @@
]
},
{
"id": "fb911ce2-1b3e-4f48-acdf-4cd9fb0e7f32",
"id": "ce67c697-f3d4-47fa-ae55-4e678d0dad15",
"alias": "Reset - Conditional OTP",
"description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
"providerId": "basic-flow",
......@@ -1659,7 +1804,7 @@
]
},
{
"id": "55a33e67-e959-4d08-8a60-39c0da3a6348",
"id": "5ee12603-8be4-4890-8032-236725c9c609",
"alias": "User creation or linking",
"description": "Flow for the existing/non-existing user alternatives",
"providerId": "basic-flow",
......@@ -1684,7 +1829,7 @@
]
},
{
"id": "9fdac6e7-68d7-409e-9b54-fb7accbc1fb7",
"id": "e6f39589-fdb6-4173-8cc8-2aea38d53174",
"alias": "Verify Existing Account by Re-authentication",
"description": "Reauthentication of existing account",
"providerId": "basic-flow",
......@@ -1708,7 +1853,7 @@
]
},
{
"id": "94ba0097-a478-49f3-993e-5b6935f5ee71",
"id": "bf00fe7e-a96c-4dab-84d9-bfdf4e6f7183",
"alias": "browser",
"description": "browser based authentication",
"providerId": "basic-flow",
......@@ -1746,7 +1891,7 @@
]
},
{
"id": "3a97e106-e814-4281-ac84-bb0c5998e2a2",
"id": "d5f5b755-db74-42c5-993c-0e355333f7e0",
"alias": "clients",
"description": "Base authentication for clients",
"providerId": "client-flow",
......@@ -1784,7 +1929,7 @@
]
},
{
"id": "748dde71-1e8f-440e-997e-39b2044772d7",
"id": "8c30e553-3fb5-4c8f-af2f-80263d9084bd",
"alias": "direct grant",
"description": "OpenID Connect Resource Owner Grant",
"providerId": "basic-flow",
......@@ -1815,7 +1960,7 @@
]
},
{
"id": "662717c8-dbe8-443c-9365-d09a10c817ae",
"id": "6a2b3a7e-d91c-4e5f-a867-5717834f13b8",
"alias": "docker auth",
"description": "Used by Docker clients to authenticate against the IDP",
"providerId": "basic-flow",
......@@ -1832,7 +1977,7 @@
]
},
{
"id": "c3a56896-ae86-449c-ae4d-ffa4165a973d",
"id": "10d04c66-b4b8-4b1f-852b-7de894b6afd1",
"alias": "first broker login",
"description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
"providerId": "basic-flow",
......@@ -1857,7 +2002,7 @@
]
},
{
"id": "0797452c-9b07-41fc-b51f-87b816e2df2c",
"id": "55a18bb9-0177-4323-b353-12d6ae713021",
"alias": "forms",
"description": "Username, password, otp and other auth forms.",
"providerId": "basic-flow",
......@@ -1881,7 +2026,7 @@
]
},
{
"id": "47ee9645-b658-4605-a387-77fc988d5161",
"id": "9c6856c0-9604-4dc5-ac99-d94e38e2655e",
"alias": "http challenge",
"description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
"providerId": "basic-flow",
......@@ -1905,7 +2050,7 @@
]
},
{
"id": "7ab9db2e-ac51-4f21-a207-8f3ee5e53efb",
"id": "b9d0a83e-c789-471a-84b4-6cf374a80bb7",
"alias": "registration",
"description": "registration flow",
"providerId": "basic-flow",
......@@ -1923,7 +2068,7 @@
]
},
{
"id": "1debcdf1-f7a4-42ee-9051-11eccbc52e53",
"id": "6df10b33-7366-43ec-8468-db59bb2e4a08",
"alias": "registration form",
"description": "registration form",
"providerId": "form-flow",
......@@ -1961,7 +2106,7 @@
]
},
{
"id": "d1978ec2-8f22-4d4d-8b4b-39c2c2e04a84",
"id": "2dcff4f4-97d7-487c-8fdd-f6ff72fa6b46",
"alias": "reset credentials",
"description": "Reset credentials for a user if they forgot their password or something",
"providerId": "basic-flow",
......@@ -1999,7 +2144,7 @@
]
},
{
"id": "48419a2f-55b4-4682-909f-d9a4ab98af66",
"id": "ac9af44d-c5ba-4879-9092-e1c7543047b0",
"alias": "saml ecp",
"description": "SAML ECP Profile Authentication Flow",
"providerId": "basic-flow",
......@@ -2018,14 +2163,14 @@
],
"authenticatorConfig": [
{
"id": "3962b227-132b-459c-80ab-f7d23df2578e",
"id": "6e27e549-7ee3-4851-b6e4-775382de017c",
"alias": "create unique user config",
"config": {
"require.password.update.after.registration": "false"
}
},
{
"id": "97dc333b-9ea1-4cd4-a557-f6be88b72a6f",
"id": "827070c6-fe54-4194-82f9-57dd103a84c0",
"alias": "review profile config",
"config": {
"update.profile.on.first.login": "missing"
......@@ -2078,6 +2223,15 @@
"priority": 50,
"config": {}
},
{
"alias": "delete_account",
"name": "Delete Account",
"providerId": "delete_account",
"enabled": false,
"defaultAction": false,
"priority": 60,
"config": {}
},
{
"alias": "update_user_locale",
"name": "Update User Locale",
......@@ -2100,6 +2254,6 @@
"clientSessionMaxLifespan": "0",
"clientOfflineSessionIdleTimeout": "0"
},
"keycloakVersion": "11.0.2",
"keycloakVersion": "12.0.4",
"userManagedAccessAllowed": false
}
\ No newline at end of file
http://www.mocodo.net/
DF3, 0N criteria_family, 01 attribute
criteria_family: id, label, display, dataset_name
:
output_family: id, label, display, dataset_name
:
attribute: id, name, table_name, label, form_label, description, output_display, criteria_display, search_flag, search_type, operator, type, min, max, placeholder_min, placeholder_max, renderer, renderer_config, display_detail, selected, order_by, order_display, detail, renderer_detail, options, vo_utype, vo_ucd, vo_unit, vo_description, vo_datatype, vo_size
DF9, 0N output_category, 01 attribute
output_category: id, label, display
DF8, 11 output_category, 0N output_family
instance: name, label, clientUrl, config
DF4, 0N dataset, 11 attribute
dataset: name, table_ref, label, description, display, count, vo, data_path, config, public
DF2, ON dataset_family, 11 dataset
dataset_family: id, label, display
DF5, 0N instance, 11 dataset_family
group: id, role, instance_name
groups_datasets, 0N group, 0N dataset
DF1, 0N project, 11 dataset
project: name, label, description, link, manager
DF, 0N database, 11 project
database: id, label, dbname, type, host, port, login, password
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplPCdQmPmmqR/CisztTpIfxNWsD1ALO2MNZxO/MpltP/TPJdPJVZQwoefgcmVO5pYnjeWwn8mlbFe5NgpCWGEWS9nc29FGx/VGxMhdkaM9xwcN8gmFx9Z97FUv3ciyyJw8MzgGszwRQnmVE8J5KxsuYXHWrfedF9twcS9r0klyvCmYn1loCX0tO+JLph7NFRR2Cbou3bYtw75C/2LZf/UfhrfKZ6wWaM/94hEQ6K1m7WrzSQgFvSpzex0Ff5kSjaSxLH/gjRLFt7yTi7/dzdqItze2rFsI/YGllWrR+6dTEbCJHnYZh3RTbF3nohuOaTfdS5ikxmWdI5kCIBPFW10QIDAQAB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi5V9FJj0dI/2TRDWoZzSKDa8l5N81sCQUunZaEuyBx3EW5cDioL2ktdc3LCB5u+rVQzYD6c3b24eLbgwgYx8AQ03GXW63TkuUy7oEA1XtBicNX/IO51ITUCeUJfJpUI+iGDEK4EmeVBiaVUTrQ8L/SMTQUcRPESNwaRmFov9kkNDiPaNQpAzbSillJLdQG9oOIKDpqjXW+ZOBct1J//+8+f0vHibbDt2HacFrq2z2ahv10ESnxqtnzjMMcn0e/IDIiolsQpcCpEwaBBqJ6axUiKReJBXU/IsFn/GtemLwPo/MpthjIi1rfqPvtin25ecR9VAWRW0bLdqztnMsfJ3oQIDAQAB
-----END PUBLIC KEY-----
......@@ -17,7 +17,7 @@ services:
LOGGER_NAME: "anis-metamodel"
LOGGER_PATH: "php://stderr"