All Downloads are FREE. Search and download functionalities are using the official Maven repository.

ca.gc.aafc.dina.security.KeycloakClaimParser Maven / Gradle / Ivy

The newest version!
package ca.gc.aafc.dina.security;

import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;

import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;

import lombok.extern.log4j.Log4j2;

/**
 * Utility class to parse Keycloak claims.
 */
@Log4j2
public final class KeycloakClaimParser {

  private KeycloakClaimParser() {
  }

  /**
   * Parses a list of Keycloak group claims and creates a Map of roles per group.
   * Expected format of the claim: /group/subgroup where the subgroup is matching 
   * the role. Unexpected formats and unknown group(s) will be ignored.
   * 
   * @param groupClaimList collection of group claims from Keycloak. Expected
   *                   structure /group/subgroup where subgroup also matches the
   *                   role
   * @return map representing the role(s) per group or an empty map
   */
  public static Map> parseGroupClaims(Collection groupClaimList) {
    if (CollectionUtils.isEmpty(groupClaimList)) {
      return Collections.emptyMap();
    }

    Map> rolesPerGroup = new LinkedHashMap<>();

    for (String groupClaim : groupClaimList) {
      String[] claimParts = StringUtils.removeStart(groupClaim, "/").split("/");
      if (claimParts.length == 2) {
        rolesPerGroup.putIfAbsent(claimParts[0], new LinkedHashSet<>());

        log.debug(() -> claimParts[0] + ":" + DinaRole.fromString(claimParts[1]));

        // unknown roles will be ignored
        DinaRole.fromString(claimParts[1]).ifPresent(rolesPerGroup.get(claimParts[0])::add);
      } else if (claimParts.length == 1) {
        // mostly for backward compatibility
        log.info(() -> "Single element groupClaim, adding as group: " + claimParts[0]);
        rolesPerGroup.putIfAbsent(claimParts[0], new LinkedHashSet<>());
      } else {
        log.warn("Ignoring unknown groupClaim {}, claimParts: {}", groupClaim, claimParts);
      }
    }

    return rolesPerGroup;
  }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy