Skip to main content

group-auth-plugin

keycloak-connector-group-auth

Description

A custom plugin enabling permission management via Keycloak groups. Adds functionality to keycloak-connector-server.

Example Usage

/** Example usage for ARM */
/** Example usage for ARM */
router.get(
"/members/:org_id?",
authenticateAdmin,
groupAuths({
requireAdmin: true,
}),
async (req, res) => {
/**
* Require Admin logic (user must have at least one of the listed permissions)
* - org_id in request:
* - darksaber-admin
* - organizations/<org_id>/admin
* - app_id in request:
* - darksaber-admin
* - applications/<app_id>/app-admin
* - org_id and app_id in request:
* - darksaber-admin
* - applications/<app_id>/app-admin
* - applications/<app_id>/<org_id>/admin AND organizations/<org_id>/*
*/

/**
* Now you have access to the following variables:
* body.keycloak.ga.appId (string or null) // The validated application id
* body.keycloak.ga.orgId (string or null) // The validated organization id
* body.keycloak.ga.groups (string[] or null) // The group (or all groups) that matched this rule
* body.keycloak.userInfo (object from KC) **already a part of base library
*/
}
);

/** Example usage in a regular app */
const groupAuths = groupAuthConfig({
app: 'fdrm',
orgParam: 'org_id', // default value
appParam: 'app_id', // default value
requireAdmin: false, // default value
superAdminGroup: '/darksaber-admin', // default value
permission: 'user', // default value
listAllMatchingGroups: false, // default value
inheritanceTree: {
'admin': ['supervisor'],
'supervisor': ['user']
},
});

router.get(
`/:org_id/all-tools`,
groupAuths('supervisor'),
async (req, res) => {
/**
* Assuming request was '/1234-5678-90/all-tools', then...
*
* This route is accessible by those with any of the following groups:
* - `/darksaber-admin`
* - `/applications/fdrm/app-admin`
* - `/applications/fdrm/1234-5678-90/admin` AND `/organizations/1234-5678-90/*`
* - `/applications/fdrm/1234-5678-90/supervisor` AND `/organizations/1234-5678-90/*`
*/

}
)

router.get(
`/:app_id/status`,
groupAuths('supervisor'),
async (req, res) => {
/**
* Assuming request was '/ABCD-EFGH-IJ/status', then...
*
* This route is accessible by those with any of the following groups:
* - `/darksaber-admin`
* - `/applications/ABCD-EFGH-IJ/app-admin`
* - `/applications/ABCD-EFGH-IJ/<any org-id>/admin` AND `/organizations/<matching-org-id>/*`
* - `/applications/ABCD-EFGH-IJ/<any org-id>/supervisor` AND `/organizations/<matching-org-id>/*`
*/

}
)

router.get(
`/:app_id/:org_id/status`,
groupAuths('supervisor'),
async (req, res) => {
/**
* Assuming request was '/ABCD-EFGH-IJ/1234-5678-90/status', then...
*
* This route is accessible by those with any of the following groups:
* - `/darksaber-admin`
* - `/applications/ABCD-EFGH-IJ/app-admin`
* - `/applications/ABCD-EFGH-IJ/1234-5678-90/admin` AND `/organizations/1234-5678-90/*`
* - `/applications/ABCD-EFGH-IJ/1234-5678-90/supervisor` AND `/organizations/1234-5678-90/*`
*/

}
)

router.get(
`/status`,
groupAuths('supervisor'),
async (req, res) => {
/**
* Assuming request was '/status', then...
*
* This route is accessible by those with any of the following groups:
* - `/darksaber-admin`
* - `/applications/ABCD-EFGH-IJ/app-admin`
* - `/applications/ABCD-EFGH-IJ/supervisor`
* - `/applications/ABCD-EFGH-IJ/<any org-id>/admin` AND `/organizations/<matching-org-id>/*`
* - `/applications/ABCD-EFGH-IJ/<any org-id>/supervisor` AND `/organizations/<matching-org-id>/*`
*/

}
)

router.get(
`/status/:org_id`,
groupAuths('supervisor', {noImplicitApp: true}),
async (req, res) => {
/**
* Assuming request was '/status', then...
*
* This route is accessible by those with any of the following groups:
* - `/darksaber-admin`
* - `/organizations/ABCD-EFGH-IJ/app-admin`
* - `/organizations/ABCD-EFGH-IJ/supervisor`
*/

}
)

/** Standalone function call */
// Use case: Endpoint exists to take N-number organization ids through a form POST, and need to confirm permissions
const hasPermission = groupAuthCheck({
org_id: '1234-5678-90',
}, {
requireAdmin: true,
// ...add any other groupAuthConfig parameters
});

// Or even checking a certain privilege in each app
const hasPermission = groupAuthCheck({
app_id: '1234-5678-90',
}, {
permission: 'supervisor'
// ...add any other groupAuthConfig parameters
});