Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support realm role attributes update #991

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

oriddd
Copy link

@oriddd oriddd commented Feb 21, 2024

What this PR does / why we need it:
This PR fixes a bug where attributes are being overridden instead of merged.

PR Readiness Checklist:

  • the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR
    Managed.md was updated.

Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

Copy link

codecov bot commented Feb 21, 2024

Codecov Report

Attention: 3 lines in your changes are missing coverage. Please review.

Comparison is base (e2af319) 95.53% compared to head (0b1856e) 95.70%.
Report is 33 commits behind head on main.

Files Patch % Lines
...sys/keycloak/config/service/RoleImportService.java 70.00% 1 Missing and 2 partials ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##               main     #991      +/-   ##
============================================
+ Coverage     95.53%   95.70%   +0.16%     
- Complexity     1324     1367      +43     
============================================
  Files            78       80       +2     
  Lines          4279     4376      +97     
  Branches        477      494      +17     
============================================
+ Hits           4088     4188     +100     
- Misses           91       93       +2     
+ Partials        100       95       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@francis-pouatcha francis-pouatcha self-requested a review June 10, 2024 09:37
Copy link
Member

@francis-pouatcha francis-pouatcha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@oriddd is there a chance you could merge current state of main into your pull request branch?

@oriddd oriddd force-pushed the supportRealmRoleAttributesUpdate branch from 0b1856e to d8afd78 Compare July 4, 2024 14:56
@oriddd oriddd force-pushed the supportRealmRoleAttributesUpdate branch from d8afd78 to bfe83ac Compare July 4, 2024 15:02
@oriddd
Copy link
Author

oriddd commented Jul 4, 2024

@francis-pouatcha Done.

@oriddd oriddd requested a review from francis-pouatcha July 4, 2024 15:20
| Client Scopes | - | `client-scope` |
| Scope Mappings | - | `scope-mapping` |
| Client Scope Mappings | - | `client-scope-mapping` |
| Roles | If not set as 'full', the attributes of realm-level role will be updated instead of override. | `role` |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this change the defaul behavior of the application? Do we have a backward compatibility issue?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even is we set full as the default value, how do change the value for existing deployments?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I see it this change fixes a bug.
If I set the roles to be fully managed, then yes, I expect the data will be overridden.
I expect nothing will be deleted if I set the Roles with no-delete value.
Without this fix, there is data loss once the roles have no-delete managed configuration.

@@ -97,7 +97,7 @@ public RoleRepresentation getRealmRole(String realmName, String roleName) {

public List<RoleRepresentation> getRealmRoles(String realmName) {
return realmRepository.getResource(realmName)
.roles().list();
.roles().list(false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any code that relies on the getRealmRoles method to retrieve a complete list of all roles (including composite ones) will now be affected. Do we know all consumers of this method?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getRealmRoles is used by only one method (RealmImportService :: doImport).
Anyway, the false flag is for the "briefRepresentation" - which is true by default to save memory I guess.
In that case, we need to get the full role and not only summarization cause we want to update it.

@@ -211,8 +212,21 @@ private void updateRoleIfNeeded(
) {
String roleName = roleToImport.getName();
RoleRepresentation patchedRole = CloneUtil.patch(existingRole, roleToImport, propertiesWithDependencies);
if (roleToImport.getAttributes() != null) {

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like method does what it is supposed to. But we need tests to

  1. Secure the behavior
  2. Secure backward compatibility Role=role -> full

How do we proceed for the removal of existing attributes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

Successfully merging this pull request may close these issues.

3 participants