ldap subgroup members not recognized about keycloak-docker-group-role-mapper HOT 5 OPEN

Hi austride,

thanks for using my plugin! 😄

I have not thought about subgroups yet, thats why the code only looks in the groups directly. I will have a look on that as soon as possible.

from keycloak-docker-group-role-mapper.

Thank you. I am not a java developer otherwise I would do it. But I think its as simple as adding a Stream.concat if I am reading this correctly:
https://www.keycloak.org/docs-api/21.1.1/javadocs/org/keycloak/models/UserModel.html#getGroupsStream()
https://www.keycloak.org/docs-api/21.1.1/javadocs/org/keycloak/models/GroupModel.html#getSubGroupsStream()

internal fun getUserNamespacesFromGroups(user: UserModel): Collection<String> {
    return Stream.concat( user.groupsStream.filter { it.name.startsWith(GROUP_PREFIX) }
                          .map { it.name.lowercase().replace(GROUP_PREFIX, "")},
                          user.groupsStream.subgroupsStream.filter { it.name.startsWith(GROUP_PREFIX) }
                          .map { it.name.lowercase().replace(GROUP_PREFIX, "") }).toList()
}

Additionally... it would be really slick if you added a "REGISTRY_NAMESPACE_SCOPE" called "group_mapper" so someone could pass in a yaml/json variable like this and use whatever existing group names they want...

REGISTRY_NAMESPACE_GROUP_MAPPER: '{"nmsp-1":["GROUP_A"],"nmsp-2":["GROUP_B"],"nmsp-3":["GROUP_A","GROUP_B"]}'

Then you could check to see if the list REGISTRY_NAMESPACE_GROUP_MAPPER[namespace] intersects with user.groupsStream.toList(). If the resulting intersect returns more than 1 group, then you grant access. Otherwise, deny.

This way someone wouldn't have to mess at all with adding/maintaining special "registry-" groups in keycloak. I've always found that the less times you are in the keycloak UI the better!

from keycloak-docker-group-role-mapper.

Hi @austride

I have created a new release:
https://github.com/alexanderwolz/keycloak-docker-group-role-mapper/releases/tag/v1.5.2

Can you double check if your LDAP subgroups now are recognized?

I have also added a custom property for the group prefix. I also like the idea of a custom group mapper, but haven't had the time to look at it yet.

I hope this fix helps you by now!

from keycloak-docker-group-role-mapper.

Awesome! I should have time to check this out this week.

from keycloak-docker-group-role-mapper.

I seem to have gotten it to work... but I am confused as to how its working.

First thing I tried was this:
Created group: registry-grp1
Created sub-group: ldap_group_name
No luck..

Second thing I tried was this
Under the ldap_group_name, I created sub-group: registry-grp1
This seems to work!

I am not sure why this works as I thought the first option should have worked... but maybe not?

In any event, the second option is actually better/cleaner as now the registery-grp1 is just a subgroup of my top level ldap groups.

from keycloak-docker-group-role-mapper.