feat: refactor user lookup and resource handling with new UserFinder and ResourceFinder classes

streamline code, merged "shared-with" and "shared-by" resource endpoints into the generic endpoint. The latter is technically a breaking change, but since currently nobody uses the library, I will count this as a minor update

Author: Neunerlei

README.md

@@ -69,7 +69,15 @@ Returns a list of authorization resource definitions for the client requesting t
 that can be used to filter resources based on their ids.
 
 Supported query parameters:
-* **ids** - A list of resource ids to search for, in the format `id1,id2`. If provided, the search and attributes parameters CAN NOT be used.
+* **ids** - A list of resource ids to search for, in the format `id1,id2`. If provided the filters "name", "owner", "type" and "uri" can not be used. (Exception owner + sharedOnly, this is allowed)
+* **name** - Allows for filtering the resources by their name, by default a partial search is done, set 'exactName' for exact matching
+* **uri** - Allows filtering the resources by the uri
+* **owner** - The uuid of a user will only return resources owned by the user
+* **sharedWith** - Allows filtering the resources to all resources shared with the user with the given uuid
+* **sharedOnly** - If true, only resources shared with the user will be returned. Enabling this flag MUST be accompanied by the "owner" filter, that is the user id which shared the resources.
+* **idsOnly** - If set, only the ids of the resources are returned
+* **exactName** - If set only resources that match the name-filter exactly will be returned
+* **type** - Allows for filtering for types of resources
 * **first** - The first result to return (0-based)
 * **max** - The maximum number of results to return (default 100)
 
@@ -100,30 +108,6 @@ Expected body:
 }
 ```
 
-#### GET Resources shared with User
-`/realms/{realm}/hawk/resources/shared-with/{userId}`
-
-Returns a list of resource ids that have been shared with the specified user. (Shared means, the resources
-have been specifically allowed to the user by a UMA ticket or using the "Allow Resource to User" endpoint).
-
-Supported query parameters:
-* **first** - The first result to return (0-based)
-* **max** - The maximum number of results to return (default 100)
-
-Required roles: `hawk-view-resource-permissions` or `hawk-manage-resource-permissions` or both.
-
-#### GET Resources shared by User
-`/realms/{realm}/hawk/resources/shared-by/{userId}`
-
-Returns a list of resource ids that have been shared by the specified user. (Shared means, the resources
-have been specifically allowed to the user by a UMA ticket or using the "Allow Resource to User" endpoint).
-
-Supported query parameters:
-* **first** - The first result to return (0-based)
-* **max** - The maximum number of results to return (default 100)
-
-Required roles: `hawk-view-resource-permissions` or `hawk-manage-resource-permissions` or both.
-
 #### GET Roles
 `/realms/{realm}/hawk/roles`
 

src/main/java/com/hawk/keycloak/ApiRoot.java

@@ -17,7 +17,6 @@
 import org.keycloak.protocol.oidc.TokenManager;
 import org.keycloak.representations.account.UserRepresentation;
 import org.keycloak.representations.idm.RoleRepresentation;
-import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.userprofile.config.UPConfig;
 import org.keycloak.services.resources.admin.AdminAuth;
 
@@ -39,7 +38,7 @@ public ApiRoot(RequestHandlerFactory requestHandlerFactory, KeycloakSession sess
     @Path("users")
     @Produces(MediaType.APPLICATION_JSON)
     @NoCache
-    public Stream<Map<String, Object>> getUsers(
+    public Response getUsers(
             @Parameter(description = "A String contained in username, first or last name, or email. Default search behavior is prefix-based (e.g., foo or foo*). Use *foo* for infix search and \"foo\" for exact search.") @QueryParam("search") String search,
             @Parameter(description = "A query to search for custom attributes, in the format 'key1:value2 key2:value2'") @QueryParam("attributes") String attributes,
             @Parameter(description = "List of comma separated user ids, in the format 'id1,id2'") @QueryParam("ids") String ids,
@@ -65,34 +64,48 @@ public Stream<Map<String, Object>> getUsers(
     @Path("users/count")
     @Produces(MediaType.TEXT_PLAIN)
     @NoCache
-    public String getUsersCount(
+    public Response getUsersCount(
             @Parameter(description = "A String contained in username, first or last name, or email. Default search behavior is prefix-based (e.g., foo or foo*). Use *foo* for infix search and \"foo\" for exact search.") @QueryParam("search") String search,
             @Parameter(description = "A query to search for custom attributes, in the format 'key1:value2 key2:value2'") @QueryParam("attributes") String attributes,
             @Parameter(description = "If true, only users with an active session (in any client of the realm) will be counted") @QueryParam("onlineOnly") Boolean onlineOnly
     ) {
-        return String.valueOf(
-                requestHandlerFactory
-                        .usersRequestHandler(authenticate())
-                        .getUserCount(
-                                search,
-                                attributes,
-                                onlineOnly
-                        )
-        );
+        return requestHandlerFactory
+                .usersRequestHandler(authenticate())
+                .getUserCount(
+                        search,
+                        attributes,
+                        onlineOnly
+                );
     }
 
     @GET
     @Path("resources")
     @Produces(MediaType.APPLICATION_JSON)
-    public Stream<ResourceRepresentation> getResources(
+    public Response getResources(
             @Parameter(description = "List of comma separated resource ids, in the format 'id1,id2'") @QueryParam("ids") String ids,
+            @Parameter(description = "The uuid of a user will return only resources shared with that user") @QueryParam("sharedWith") String sharedWith,
+            @Parameter(description = "Allows for filtering the resources by their name, by default a partial search is done, set 'exactName' for exact matching") @QueryParam("name") String name,
+            @Parameter(description = "Allows filtering the resources by the uri") @QueryParam("uri") String uri,
+            @Parameter(description = "The uuid of a user will only return resources owned by the user") @QueryParam("owner") String owner,
+            @Parameter(description = "If enabled AND the owner is set, only resources shared by the owner will be returned") @QueryParam("sharedOnly") Boolean sharedOnly,
+            @Parameter(description = "If set, only the ids of the resources are returned") @QueryParam("idsOnly") Boolean idsOnly,
+            @Parameter(description = "If set only resources that match the name-filter exactly will be returned") @QueryParam("exactName") Boolean exactName,
+            @Parameter(description = "Allows for filtering for types of resources") @QueryParam("type") String type,
             @Parameter(description = "Pagination offset") @QueryParam("first") Integer firstResult,
             @Parameter(description = "Maximum results size (defaults to 100)") @QueryParam("max") Integer maxResults
     ) {
         return requestHandlerFactory
                 .resourceRequestHandler(authenticate())
                 .handleGetResourcesRequest(
                         commaListToCollection(ids),
+                        sharedWith,
+                        name,
+                        uri,
+                        owner,
+                        type,
+                        exactName,
+                        idsOnly,
+                        sharedOnly,
                         firstResult,
                         maxResults
                 );
@@ -127,32 +140,6 @@ public Response setResourceUserPermissions(
                 );
     }
 
-    @GET
-    @Path("resources/shared-with/{user}")
-    @Produces(org.keycloak.utils.MediaType.APPLICATION_JSON)
-    public Response getResourcesSharedWithUser(
-            @Parameter(description = "The id of the user to find the resources shared with") @PathParam("user") String userId,
-            @Parameter(description = "Pagination offset") @QueryParam("first") Integer firstResult,
-            @Parameter(description = "Maximum results size (defaults to 100)") @QueryParam("max") Integer maxResults
-    ) {
-        return requestHandlerFactory
-                .sharedResourceRequestHandler(authenticate())
-                .handleSharedWithUserRequest(userId, firstResult, maxResults);
-    }
-
-    @GET
-    @Path("resources/shared-by/{user}")
-    @Produces(org.keycloak.utils.MediaType.APPLICATION_JSON)
-    public Response getResourcesSharedByUser(
-            @Parameter(description = "The id of the user to find the resources shared by") @PathParam("user") String userId,
-            @Parameter(description = "Pagination offset") @QueryParam("first") Integer firstResult,
-            @Parameter(description = "Maximum results size (defaults to 100)") @QueryParam("max") Integer maxResults
-    ) {
-        return requestHandlerFactory
-                .sharedResourceRequestHandler(authenticate())
-                .handleSharedByUserRequest(userId, firstResult, maxResults);
-    }
-
     @GET
     @Path("roles")
     @Produces(MediaType.APPLICATION_JSON)

src/main/java/com/hawk/keycloak/RequestHandlerFactory.java

@@ -5,18 +5,20 @@
 import com.hawk.keycloak.profiles.ProfileDataRequestHandler;
 import com.hawk.keycloak.profiles.ProfileStructureRequestHandler;
 import com.hawk.keycloak.resources.ResourceRequestHandler;
-import com.hawk.keycloak.resources.SharedResourceRequestHandler;
+import com.hawk.keycloak.resources.lookup.ResourceFinder;
 import com.hawk.keycloak.resources.lookup.ResourceUserFinder;
 import com.hawk.keycloak.resources.lookup.SharedResourceFinder;
 import com.hawk.keycloak.resources.service.ResourcePermissionSetter;
 import com.hawk.keycloak.roles.RolesRequestHandler;
+import com.hawk.keycloak.users.lookup.UserFinder;
 import com.hawk.keycloak.users.lookup.UserInfoGenerator;
 import com.hawk.keycloak.users.UsersRequestHandler;
 import com.hawk.keycloak.util.ConnectionInfoRequestHandler;
 import lombok.RequiredArgsConstructor;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.store.PermissionTicketStore;
+import org.keycloak.authorization.store.ResourceStore;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.services.resources.admin.AdminEventBuilder;
@@ -30,7 +32,21 @@ public CacheBusterRequestHandler cacheBusterRequestHandler(HawkPermissionEvaluat
     }
 
     public UsersRequestHandler usersRequestHandler(HawkPermissionEvaluator auth) {
-        return new UsersRequestHandler(session, auth, userInfoGenerator());
+        return new UsersRequestHandler(
+                new UserFinder(
+                        session.users(),
+                        session.sessions(),
+                        session.getContext().getRealm()
+                ),
+                session,
+                auth,
+                new UserInfoGenerator(
+                        session,
+                        session.getContext().getClient(),
+                        session.getContext().getUri(),
+                        session.getContext().getConnection()
+                )
+        );
     }
 
     public ConnectionInfoRequestHandler connectionInfoRequestHandler(HawkPermissionEvaluator auth) {
@@ -55,41 +71,33 @@ public ResourceRequestHandler resourceRequestHandler(HawkPermissionEvaluator aut
                 session.getContext().getClient()
         );
         PermissionTicketStore ticketStore = authorizationProvider.getStoreFactory().getPermissionTicketStore();
+        ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
         return new ResourceRequestHandler(
                 new ResourceUserFinder(ticketStore),
                 auth,
-                session,
-                authorizationProvider.getStoreFactory().getResourceStore(),
+                resourceStore,
                 resourceServer,
                 new ResourcePermissionSetter(
                         ticketStore,
                         resourceServer,
                         authorizationProvider.getStoreFactory().getScopeStore(),
-                        session,
-                        adminEventBuilder(auth)
+                        adminEventBuilder(auth),
+                        session.getContext().getUri()
                 ),
-                authorizationProvider
-        );
-    }
-
-    public SharedResourceRequestHandler sharedResourceRequestHandler(HawkPermissionEvaluator auth) {
-        AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class);
-        return new SharedResourceRequestHandler(
-                new SharedResourceFinder(
-                        provider.getStoreFactory().getPermissionTicketStore()
+                authorizationProvider,
+                new ResourceFinder(
+                        session,
+                        resourceStore,
+                        authorizationProvider.getStoreFactory().getResourceServerStore().findByClient(
+                                session.getContext().getClient()
+                        ),
+                        new SharedResourceFinder(ticketStore)
                 ),
-                auth,
-                session,
-                provider.getStoreFactory().getResourceServerStore().findByClient(
-                        session.getContext().getClient()
-                )
+                session.getContext().getRealm(),
+                session.users()
         );
     }
 
-    private UserInfoGenerator userInfoGenerator() {
-        return new UserInfoGenerator(session);
-    }
-
     private AdminEventBuilder adminEventBuilder(HawkPermissionEvaluator auth) {
         return new AdminEventBuilder(
                 session.getContext().getRealm(),

src/main/java/com/hawk/keycloak/resources/ResourceRequestHandler.java

@@ -1,6 +1,7 @@
 package com.hawk.keycloak.resources;
 
 import com.hawk.keycloak.auth.HawkPermissionEvaluator;
+import com.hawk.keycloak.resources.lookup.ResourceFinder;
 import com.hawk.keycloak.resources.lookup.ResourceUserFinder;
 import com.hawk.keycloak.resources.model.UserResourcePermission;
 import com.hawk.keycloak.resources.service.ResourcePermissionSetter;
@@ -11,33 +12,31 @@
 import org.keycloak.authorization.model.Resource;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.store.ResourceStore;
-import org.keycloak.models.Constants;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.UserModel;
+import org.keycloak.models.*;
 import org.keycloak.models.utils.ModelToRepresentation;
-import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 
 import java.util.Collection;
 import java.util.List;
-import java.util.Map;
 import java.util.stream.Stream;
 
 @RequiredArgsConstructor
 public class ResourceRequestHandler {
     private final ResourceUserFinder resourceUserFinder;
     private final HawkPermissionEvaluator auth;
-    private final KeycloakSession session;
     private final ResourceStore resourceStore;
     private final ResourceServer resourceServer;
     private final ResourcePermissionSetter permissionSetter;
     private final AuthorizationProvider authorization;
+    private final ResourceFinder resourceFinder;
+    private final RealmModel realm;
+    private final UserProvider userProvider;
 
     public Collection<UserResourcePermission> handleUsersOfResourceRequest(String resourceId) {
         auth.requireViewResourcePermissions();
 
         Resource resource = resourceStore.findById(resourceServer, resourceId);
 
-        if(resource == null){
+        if (resource == null) {
             throw new NotFoundException("Resource not found");
         }
 
@@ -47,13 +46,13 @@ public Collection<UserResourcePermission> handleUsersOfResourceRequest(String re
     public Response handleSetUserPermissionsRequest(String userId, String resourceId, List<String> scopes) {
         auth.requireManageResourcePermissions();
 
-        UserModel user = session.users().getUserById(session.getContext().getRealm(), userId);
-        if(user == null){
+        UserModel user = userProvider.getUserById(realm, userId);
+        if (user == null) {
             throw new NotFoundException("User not found");
         }
 
         Resource resource = resourceStore.findById(resourceServer, resourceId);
-        if(resource == null){
+        if (resource == null) {
             throw new NotFoundException("Resource not found");
         }
 
@@ -62,30 +61,26 @@ public Response handleSetUserPermissionsRequest(String userId, String resourceId
         return Response.noContent().build();
     }
 
-    public Stream<ResourceRepresentation> handleGetResourcesRequest(
+    public Response handleGetResourcesRequest(
             List<String> ids,
+            String sharedWith,
+            String name,
+            String uri,
+            String owner,
+            String type,
+            Boolean exactName,
+            Boolean idsOnly,
+            Boolean sharedOnly,
             Integer firstResult,
             Integer maxResult
     ) {
         auth.requireViewResourcePermissions();
+        Stream<Resource> resources = resourceFinder.findResources(ids, sharedWith, name, uri, owner, type, exactName, sharedOnly, firstResult, maxResult);
 
-        Stream<Resource> resources;
-
-        if(ids == null || ids.isEmpty()){
-            resources = resourceStore.find(
-                    this.resourceServer,
-                    Map.of(),
-                    firstResult != null ? firstResult : -1,
-                    maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS
-            ).stream();
-        } else {
-            resources = ids.stream().map(id -> resourceStore.findById(resourceServer, id));
+        if(idsOnly != null && idsOnly) {
+            return Response.ok(resources.map(Resource::getId)).build();
         }
 
-        return resources
-                .distinct()
-                .skip(firstResult != null ? firstResult : 0)
-                .limit(maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS)
-                .map(r -> ModelToRepresentation.toRepresentation(r, resourceServer, authorization, true));
+        return Response.ok(resources.map(r -> ModelToRepresentation.toRepresentation(r, resourceServer, authorization, true))).build();
     }
 }