feat: add custom user profile endpoint

The default endpoint only returns the "admin" view of a user profile, which is not what we want in the client, the custom endpoint allows us to decide which "mode" we want to request the profile in.

Author: Neunerlei

README.md

@@ -157,7 +157,19 @@ The body of the request should be a [UPConfig](https://www.keycloak.org/docs-api
 
 Required roles: `hawk-manage-profile-structure`
 
-#### POST User Profile Data
+#### GET User Profile Data
+`/realms/{realm}/hawk/profile/{userId}`
+
+Returns the profile data of a user. This is a custom endpoint that allows the client to choose if the
+profile should be returned as the user itself or as an admin. The userProfileMetadata is ALWAYS returned,
+otherwise the endpoint behaves exactly like: `/admin/realms/{realm}/users/{userId}`
+
+Supported query parameters:
+* **mode** - user|admin - If set to "admin" the update will be done as an admin, otherwise as the user itself
+
+Required roles: `view-users`
+
+#### PUT User Profile Data
 `/realms/{realm}/hawk/profile/{userId}`
 
 Allows your client to update the profile data of a user. This is a custom endpoint that
@@ -166,6 +178,9 @@ using impersonation to update the user.
 
 The body of the request should be a [UserRepresentation](https://www.keycloak.org/docs-api/latest/rest-api/index.html#UserRepresentation)
 
+Supported query parameters:
+* **mode** - user|admin - If set to "admin" the update will be done as an admin, otherwise as the user itself
+
 Required roles: `hawk-manage-profile-data`
 
 #### GET Cache Buster

src/main/java/com/hawk/keycloak/ApiRoot.java

@@ -1,6 +1,7 @@
 package com.hawk.keycloak;
 
 import com.hawk.keycloak.auth.HawkPermissionEvaluator;
+import com.hawk.keycloak.profiles.ProfileMode;
 import com.hawk.keycloak.resources.model.UserResourcePermission;
 import com.hawk.keycloak.resources.model.UserResourcePermissionsRequest;
 import com.hawk.keycloak.util.model.ConnectionInfo;
@@ -15,14 +16,14 @@
 import org.jboss.resteasy.annotations.cache.NoCache;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.protocol.oidc.TokenManager;
-import org.keycloak.representations.account.UserRepresentation;
+import org.keycloak.representations.idm.AbstractUserRepresentation;
 import org.keycloak.representations.idm.RoleRepresentation;
+import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.representations.userprofile.config.UPConfig;
 import org.keycloak.services.resources.admin.AdminAuth;
 
 import java.util.Collection;
 import java.util.List;
-import java.util.Map;
 import java.util.stream.Stream;
 
 public class ApiRoot extends org.keycloak.services.resources.admin.AdminRoot {
@@ -191,17 +192,33 @@ public Response putProfileStructure(UPConfig config) {
         return requestHandlerFactory.profileStructureRequestHandler(authenticate()).handleUpdateStructure(config);
     }
 
+    @GET
+    @Path("profile/{user}")
+    @Produces(MediaType.APPLICATION_JSON)
+    public AbstractUserRepresentation getUserProfile(
+            @Parameter(description = "The id of the user to get the profile for") @PathParam("user") String userId,
+            @Parameter(description = "Defines the requesting role. Can be 'user' (default) to get the profile in the user view or 'admin' to get the profile in the admin view") @QueryParam("mode") String mode
+    ) {
+        return requestHandlerFactory.profileDataRequestHandler(authenticate())
+                .handleProfileRequest(
+                        session.users().getUserById(session.getContext().getRealm(), userId),
+                        ProfileMode.fromString(mode)
+                );
+    }
+
     @PUT
     @Path("profile/{user}")
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     public Response updateUserProfile(
             @Parameter(description = "The id of the user to update the profile for") @PathParam("user") String userId,
+            @Parameter(description = "Defines the requesting role. Can be 'user' (default) to update the profile as the user, or 'admin' to update the profile as admin") @QueryParam("mode") String mode,
             UserRepresentation rep
     ) {
         return requestHandlerFactory.profileDataRequestHandler(authenticate())
                 .handleProfileUpdateRequest(
                         session.users().getUserById(session.getContext().getRealm(), userId),
+                        ProfileMode.fromString(mode),
                         rep
                 );
     }

src/main/java/com/hawk/keycloak/profiles/ProfileDataRequestHandler.java

@@ -9,8 +9,9 @@
 import org.keycloak.events.EventType;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.UserModel;
-import org.keycloak.representations.account.UserRepresentation;
+import org.keycloak.representations.idm.AbstractUserRepresentation;
 import org.keycloak.representations.idm.ErrorRepresentation;
+import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.services.ErrorResponse;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.storage.ReadOnlyException;
@@ -25,7 +26,17 @@ public class ProfileDataRequestHandler {
     private final HawkPermissionEvaluator auth;
     private final EventBuilder event;
 
-    public Response handleProfileUpdateRequest(UserModel user, UserRepresentation rep) {
+    public AbstractUserRepresentation handleProfileRequest(UserModel user, ProfileMode mode) {
+        auth.admin().users().requireView();
+
+        if(user == null){
+            throw new NotFoundException("User not found");
+        }
+
+        return getProfile(user, mode, null).toRepresentation();
+    }
+
+    public Response handleProfileUpdateRequest(UserModel user, ProfileMode mode, UserRepresentation rep) {
         auth.requireManageProfileData();
 
         if(user == null){
@@ -34,11 +45,9 @@ public Response handleProfileUpdateRequest(UserModel user, UserRepresentation re
 
         event.event(EventType.UPDATE_PROFILE).detail(Details.CONTEXT, UserProfileContext.ACCOUNT.name());
 
-        UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
-        UserProfile profile = profileProvider.create(UserProfileContext.ACCOUNT, rep.getRawAttributes(), user);
+        UserProfile profile = getProfile(user, mode, rep);
 
         try {
-
             profile.update(new EventAuditingAttributeChangeListener(profile, event));
 
             event.success();
@@ -55,6 +64,17 @@ public Response handleProfileUpdateRequest(UserModel user, UserRepresentation re
         }
     }
 
+    private UserProfile getProfile(UserModel user, ProfileMode mode, UserRepresentation rep) {
+        UserProfileContext context = mode == ProfileMode.USER ? UserProfileContext.ACCOUNT : UserProfileContext.USER_API;
+        UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
+
+        if(rep == null){
+            return profileProvider.create(context, user);
+        }
+
+        return profileProvider.create(context, rep.getRawAttributes(), user);
+    }
+
     private String[] validationErrorParamsToString(Object[] messageParameters, Attributes userProfileAttributes) {
         if(messageParameters == null)
             return null;

src/main/java/com/hawk/keycloak/profiles/ProfileMode.java

@@ -0,0 +1,15 @@
+package com.hawk.keycloak.profiles;
+
+import java.util.Objects;
+
+public enum ProfileMode {
+    USER,
+    ADMIN;
+
+    public static ProfileMode fromString(String mode) {
+        if (!Objects.equals(mode, "admin")) {
+            return USER;
+        }
+        return ADMIN;
+    }
+}