Merge pull request #6180 from bcgov/chore/5915-2

chore(5915): add user attribute idir_user_guid to keycloak token

Author: Kolezhanchik

app/app/api/msgraph/search/route.ts

@@ -43,6 +43,7 @@ export const POST = createApiHandler({
             email: true,
             upn: true,
             idir: true,
+            idirGuid: true,
             officeLocation: true,
             jobTitle: true,
             image: true,

app/components/modal/userPicker.tsx

@@ -48,6 +48,7 @@ export const openUserPickerModal = createModal<ModalProps, ModalState>({
           !user.ministry && 'Your home ministry name is missing',
           !user.idir && 'Your IDIR is missing',
           !user.upn && 'Your UPN is missing',
+          !user.idirGuid && 'Your IDIR GUID is missing',
         ].filter((msg): msg is string => Boolean(msg))
       : [];
 

app/core/api-handler.ts

@@ -112,6 +112,7 @@ function createApiHandler<
               if (!kcUserId) return UnauthorizedResponse("token missing required 'kc-userid' claim");
 
               const kcUser = await findUser(kcUserId);
+
               if (!kcUser) return BadRequestResponse('keycloak user not found');
 
               session = await generateSession({
@@ -122,6 +123,7 @@ function createApiHandler<
                 userSession: {
                   email: kcUser.email ?? '',
                   roles: kcUser.authRoleNames.concat(GlobalRole.ServiceAccount),
+                  idirGuid: kcUser.attributes?.idir_guid,
                   teams: [],
                   sub: '',
                   accessToken: '',
@@ -141,6 +143,7 @@ function createApiHandler<
                 userSession: {
                   email: '',
                   roles: rolesArr.concat(GlobalRole.ServiceAccount),
+                  idirGuid: '',
                   teams: [],
                   sub: '',
                   accessToken: '',

app/core/auth-options.ts

@@ -9,22 +9,23 @@ import { JWT } from 'next-auth/jwt';
 import KeycloakProvider, { KeycloakProfile } from 'next-auth/providers/keycloak';
 import { IS_PROD, AUTH_SERVER_URL, AUTH_RELM, AUTH_RESOURCE, AUTH_SECRET, USER_TOKEN_REFRESH_INTERVAL } from '@/config';
 import { TEAM_SA_PREFIX, GlobalRole, RoleToSessionProp, sessionRolePropKeys } from '@/constants';
+import { logger } from '@/core/logging';
 import prisma from '@/core/prisma';
 import { EventType, Organization, TaskStatus, UserSession } from '@/prisma/client';
 import { createEvent } from '@/services/db';
 import { upsertUser } from '@/services/db/user';
-
 interface DecodedToken {
   resource_access?: Record<string, { roles: string[] }>;
+  idir_guid?: string | null;
   email: string;
   sub: string;
 }
-
+type KeycloakProfileWithIdir = KeycloakProfile & { idir_guid?: string };
 async function updateUserSession(tokens?: { access_token?: string; refresh_token?: string; id_token?: string }) {
   const { access_token = '', refresh_token = '', id_token = '' } = tokens ?? {};
-  const decodedToken = jwt.decode(access_token) as DecodedToken;
-  const { resource_access = {}, sub = '', email = '' } = decodedToken || {};
 
+  const decodedToken = jwt.decode(access_token) as DecodedToken;
+  const { resource_access = {}, sub = '', email = '', idir_guid } = decodedToken || {};
   const roles = _get(resource_access, `${AUTH_RESOURCE}.roles`, []) as string[];
   const teams: SessionTokenTeams[] = [];
 
@@ -39,6 +40,7 @@ async function updateUserSession(tokens?: { access_token?: string; refresh_token
 
   const userSessionData = {
     email: loweremail,
+    idirGuid: idir_guid,
     nextTokenRefreshTime,
     roles,
     sub,
@@ -148,6 +150,7 @@ export async function generateSession({
     name: '',
     email: '',
     image: '',
+    idirGuid: '',
   };
 
   session.tasks = [];
@@ -156,15 +159,15 @@ export async function generateSession({
     const [user, userSession] = await Promise.all([
       prisma.user.findFirst({
         where: { email: token.email },
-        select: { id: true, email: true, image: true },
+        select: { id: true, email: true, image: true, idirGuid: true },
       }),
       userSessionOverride ??
         prisma.userSession.findFirst({
           where: { email: token.email },
         }),
     ]);
-
     if (userSession) {
+      session.user.idirGuid = userSession.idirGuid;
       session.idToken = userSession.idToken;
       session.kcUserId = userSession.sub;
       session.roles = userSession.roles;
@@ -179,7 +182,7 @@ export async function generateSession({
       session.user.id = user.id;
       session.user.email = user.email;
       session.user.image = user.image;
-
+      session.user.idirGuid = user?.idirGuid ?? token?.idirGuid ?? session.user.idirGuid;
       session.userId = user.id;
       session.userEmail = user.email;
       session.roles.push(GlobalRole.User);
@@ -397,8 +400,14 @@ export const authOptions: AuthOptions = {
   secret: AUTH_SECRET,
   callbacks: {
     async signIn({ user, account, profile }) {
-      const { given_name, family_name, email } = profile as KeycloakProfile;
+      const { given_name, family_name, email, idir_guid } = profile as KeycloakProfileWithIdir;
+
+      if (!idir_guid) {
+        logger.warn(`Login blocked: Missing idirGuid for user ${user?.email}`);
+        return false;
+      }
       const loweremail = email.toLowerCase();
+
       const lastSeen = new Date();
 
       const upsertedUser = await upsertUser(loweremail, { lastSeen });
@@ -410,14 +419,13 @@ export const authOptions: AuthOptions = {
           email: loweremail,
           ministry: '',
           idir: '',
-          idirGuid: '',
+          idirGuid: idir_guid,
           upn: '',
           image: '',
           officeLocation: '',
           jobTitle: '',
           lastSeen,
         };
-
         await prisma.user.upsert({
           where: { email: loweremail },
           update: data,
@@ -429,7 +437,8 @@ export const authOptions: AuthOptions = {
     },
     async jwt({ token, account }: { token: JWT; account: Account | null }) {
       if (account) {
-        await updateUserSession(account);
+        const updatedSession = await updateUserSession(account);
+        if (updatedSession.idirGuid) token.idirGuid = updatedSession.idirGuid;
         return token;
       }
 
@@ -441,7 +450,8 @@ export const authOptions: AuthOptions = {
       if (userSessToRefresh) {
         const newTokens = await getNewTokens(userSessToRefresh.refreshToken);
         if (newTokens) {
-          await updateUserSession(newTokens);
+          const refreshedSession = await updateUserSession(newTokens);
+          if (refreshedSession.idirGuid) token.idirGuid = refreshedSession.idirGuid;
         } else {
           await endUserSession(token.email);
         }
@@ -454,7 +464,6 @@ export const authOptions: AuthOptions = {
   events: {
     async signIn({ user, account }: { user: User; account: Account | null }) {
       if (!user?.email) return;
-
       const loweremail = user.email.toLowerCase();
       const loggedInUser = await prisma.user.findUnique({
         where: { email: loweremail },

app/helpers/mock-users.ts

@@ -86,6 +86,7 @@ export async function generateTestSession(testEmail: string) {
     userSession: {
       email: mockUser.email,
       roles: mockUser.roles,
+      idirGuid: mockUser.idirGuid,
       teams: [],
       sub: '',
       accessToken: '',

app/prisma/schema.prisma

@@ -64,6 +64,7 @@ model UserSession {
   id                   String   @id @default(auto()) @map("_id") @db.ObjectId
   email                String   @unique
   nextTokenRefreshTime DateTime
+  idirGuid             String?
   accessToken          String
   refreshToken         String
   idToken              String

app/types/next-auth.d.ts

@@ -75,6 +75,7 @@ declare module 'next-auth' {
       name: string;
       email: string;
       image: string | null;
+      idirGuid: string | null;
     };
     userId: string | null;
     userEmail: string | null;
@@ -139,12 +140,17 @@ declare module 'next-auth' {
     clientId: string;
     roles: string[];
   }
+
+  interface User {
+    idirGuid?: string | null;
+  }
 }
 
 declare module 'next-auth/jwt' {
   /** Returned by the `jwt` callback and `getToken`, when using JWT sessions */
   interface JWT {
     email?: string;
+    idirGuid?: string;
   }
 }
 

app/types/user.ts

@@ -121,6 +121,7 @@ export type SearchedUser = Prisma.UserGetPayload<{
     email: true;
     upn: true;
     idir: true;
+    idirGuid: true;
     officeLocation: true;
     jobTitle: true;
     image: true;

sandbox/_packages/keycloak-admin/src/main.ts

@@ -30,6 +30,7 @@ interface KcUser {
   lastName: string;
   password: string;
   roles: string[];
+  attributes: Record<string, string[]>;
 }
 
 // Keycloak Admin class to manage Keycloak administration tasks
@@ -213,6 +214,20 @@ export class KcAdmin {
     return scope;
   }
 
+  async updateUser(realm: string, userId: string, kcuser: KcUser) {
+    const { password, roles, ...rest } = kcuser;
+
+    await this._cli.users.update({ realm, id: userId }, rest);
+
+    if (password) {
+      await this._cli.users.resetPassword({
+        realm,
+        id: userId,
+        credential: { temporary: false, type: 'password', value: password },
+      });
+    }
+  }
+
   // Find a user by email in a realm
   async findUserByEmail(realm: string, email: string) {
     const emailUsers = await this._cli.users.find({ realm, email, exact: true });
@@ -222,7 +237,7 @@ export class KcAdmin {
 
   // Create a new user in a realm
   async createUser(realm: string, kcuser: KcUser) {
-    const { password, roles, ...rest } = kcuser;
+    const { password, roles, attributes, ...rest } = kcuser;
 
     // Catch an error if the user already exists
     try {
@@ -231,6 +246,7 @@ export class KcAdmin {
         enabled: true,
         realm,
         emailVerified: true,
+        attributes,
       });
 
       await this._cli.users.resetPassword({
@@ -284,11 +300,19 @@ export class KcAdmin {
     });
 
     await Promise.all(
-      users.map(async ({ email: _email, username, firstName, lastName, password, roles: _roles }) => {
+      users.map(async ({ email: _email, username, firstName, lastName, password, roles: _roles, attributes }) => {
         const email = _email.toLowerCase();
         const roles = uniq(castArray(_roles || [])).filter(Boolean);
 
-        const currUser = await this.createUser(realm, { email, username, firstName, lastName, password, roles });
+        const currUser = await this.createUser(realm, {
+          email,
+          username,
+          firstName,
+          lastName,
+          password,
+          roles,
+          attributes,
+        });
 
         // Revoke all client roles from the user
         await this._cli.users.delClientRoleMappings({

sandbox/keycloak-provision/main.ts

@@ -50,6 +50,24 @@ function getMapperPayload(name: string, claimValue: string) {
   return mapper;
 }
 
+function getUserAttrMapperPayload(userAttr: string, claimName: string) {
+  return {
+    name: claimName,
+    protocol: 'openid-connect',
+    protocolMapper: 'oidc-usermodel-attribute-mapper',
+    config: {
+      'user.attribute': userAttr,
+      'claim.name': claimName,
+      'jsonType.label': 'String',
+      'id.token.claim': 'true',
+      'access.token.claim': 'true',
+      'userinfo.token.claim': 'true',
+      'access.tokenResponse.claim': 'false',
+      multivalued: 'false',
+    },
+  };
+}
+
 async function main() {
   console.log('Starting Keycloak Provision...');
 
@@ -84,6 +102,11 @@ async function main() {
   const authRealm = await kc.upsertRealm(AUTH_REALM_NAME, { enabled: true });
   const authClient = await kc.createPrivateClient(AUTH_REALM_NAME, AUTH_CLIENT_ID, AUTH_CLIENT_SECRET);
 
+  await kc.cli.clients.addProtocolMapper(
+    { realm: AUTH_REALM_NAME, id: authClient?.id as string },
+    getUserAttrMapperPayload('idir_user_guid', 'idir_guid'),
+  );
+
   const scope = await kc.createRealmClientScope(AUTH_REALM_NAME, clientScope);
 
   kc.cli.clients.addDefaultClientScope({
@@ -140,14 +163,19 @@ async function main() {
   // Upsert Admin client
   await kc.createRealmAdminServiceAccount(AUTH_REALM_NAME, ADMIN_CLIENT_ID, ADMIN_CLIENT_SECRET);
 
-  const authUsers = msUsers.map(({ surname, givenName, mail, jobTitle }) => ({
-    username: mail,
-    email: mail,
-    firstName: givenName,
-    lastName: surname,
-    password: mail,
-    roles: jobTitle ? jobTitle.split(',').map((role) => role.trim()) : [],
-  }));
+  const authUsers = msUsers.map(
+    ({ surname, givenName, mail, jobTitle, extension_85cc52e9286540fcb1f97ed86114a0e5_bcgovGUID }) => ({
+      username: mail,
+      email: mail,
+      firstName: givenName,
+      lastName: surname,
+      password: mail,
+      roles: jobTitle ? jobTitle.split(',').map((role) => role.trim()) : [],
+      attributes: {
+        idir_user_guid: [extension_85cc52e9286540fcb1f97ed86114a0e5_bcgovGUID],
+      },
+    }),
+  );
 
   // Create Auth Users with auth roles assigned
   await kc.upsertUsersWithClientRoles(AUTH_REALM_NAME, authClient?.id as string, authUsers);