From bed3de76dd90ea0f65d69b92cd616400f6a00419 Mon Sep 17 00:00:00 2001 From: Rui Hu Date: Wed, 16 Jul 2025 16:43:00 +0800 Subject: [PATCH] Implement query user endpoint for RabbitMQ (#35) This PR implemented ticket clevermicro/user-management#34 for the user-service-v1 endpoint, along with all the infrastructures required to support the endpoints. The changes are: + switch build tool to gradle for easier access to the private artifacts of clevermicro (although later Brian change the artifacts to public) + set up clevermicro amqp client + switched to official keycloak admin client instead of implementing it with webflux + implement the message formats for the RPC protocol, for now they are exclusive to auth-service, but in the future we will reuse (might with some changes) them for all RPC calls inside clevermicro (need a server lib for handling the message parsing and convertion) + implement the user query endpoint + implement unit test so the overall coverage is above 85% + fixed all issues found during the testing phase with shared env Currently the latest docker image has been deployed to the shared env, see https://docs.cleverthis.com/en/architecture/microservices/shared-env#multi-user-support Reviewed-on: https://git.cleverthis.com/clevermicro/user-management/pulls/35 --- .checkstyle | 14 - .forgejo/workflows/coverage-check.yaml | 10 +- .forgejo/workflows/publish-docker.yaml | 10 + .gitignore | 78 +- Dockerfile | 6 +- build.gradle.kts | 128 +++ ci.Dockerfile | 5 + gradle/wrapper/gradle-wrapper.jar | Bin 0 -> 43764 bytes gradle/wrapper/gradle-wrapper.properties | 7 + gradlew | 251 +++++ gradlew.bat | 94 ++ pom.xml | 161 --- settings.gradle.kts | 1 + .../config/CleverMicroClientConfig.java | 89 ++ .../CleverMicroClientConfigProperties.java | 65 ++ .../config/KeycloakClientConfig.java | 26 +- .../PermissionMappingConfigProperties.java | 1 + .../controller/AuthController.java | 47 +- .../controller/rabbitmq/AbstractEndpoint.java | 148 +++ .../EndpointBadRequestException.java | 21 + .../rabbitmq/exception/EndpointException.java | 28 + .../EndpointInternalServerErrorException.java | 15 + .../rabbitmq/model/EndpointErrorResponse.java | 39 + .../rabbitmq/model/EndpointOkResponse.java | 27 + .../rabbitmq/model/EndpointRequest.java | 19 + .../rabbitmq/model/EndpointResponse.java | 19 + .../rabbitmq/model/EndpointResponses.java | 84 ++ .../rabbitmq/v1/user/UserEndpointV1.java | 70 ++ .../KeycloakOrganizationRepresentation.java | 1 + .../OrganizationDomainRepresentation.java | 18 - .../organization/OrganizationResponse.java | 4 +- .../service/IdentityManagerService.java | 2 + .../service/PermissionMapLookupService.java | 16 +- .../FallbackPermissionMapLookupService.java | 28 +- .../service/impl/KeycloakAdminClient.java | 531 ---------- .../impl/KeycloakAdminReactiveClient.java | 473 +++++++++ .../impl/KeycloakIdentityManagerService.java | 326 +++--- src/main/resources/application.yml | 45 +- .../OrganizationControllerTest.java | 72 +- .../KeycloakClientConfigPropertiesTest.java | 11 +- .../rabbitmq/AbstractEndpointTest.java | 238 +++++ .../rabbitmq/v1/user/UserEndpointV1Test.java | 119 +++ ...allbackPermissionMapLookupServiceTest.java | 44 +- .../service/impl/KeycloakAdminClientTest.java | 191 ---- .../impl/KeycloakAdminReactiveClientTest.java | 974 ++++++++++++++++++ .../KeycloakIdentityManagerServiceTest.java | 389 ++++++- src/test/resources/application.yml | 12 + 47 files changed, 3645 insertions(+), 1312 deletions(-) delete mode 100644 .checkstyle create mode 100644 build.gradle.kts create mode 100644 ci.Dockerfile create mode 100644 gradle/wrapper/gradle-wrapper.jar create mode 100644 gradle/wrapper/gradle-wrapper.properties create mode 100755 gradlew create mode 100644 gradlew.bat delete mode 100644 pom.xml create mode 100644 settings.gradle.kts create mode 100644 src/main/java/com/cleverthis/authservice/config/CleverMicroClientConfig.java create mode 100644 src/main/java/com/cleverthis/authservice/config/CleverMicroClientConfigProperties.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/AbstractEndpoint.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointBadRequestException.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointException.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointInternalServerErrorException.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointErrorResponse.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointOkResponse.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointRequest.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointResponse.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointResponses.java create mode 100644 src/main/java/com/cleverthis/authservice/controller/rabbitmq/v1/user/UserEndpointV1.java delete mode 100644 src/main/java/com/cleverthis/authservice/dto/keycloakadmin/OrganizationDomainRepresentation.java delete mode 100644 src/main/java/com/cleverthis/authservice/service/impl/KeycloakAdminClient.java create mode 100644 src/main/java/com/cleverthis/authservice/service/impl/KeycloakAdminReactiveClient.java create mode 100644 src/test/java/com/cleverthis/authservice/controller/rabbitmq/AbstractEndpointTest.java create mode 100644 src/test/java/com/cleverthis/authservice/controller/rabbitmq/v1/user/UserEndpointV1Test.java delete mode 100644 src/test/java/com/cleverthis/authservice/service/impl/KeycloakAdminClientTest.java create mode 100644 src/test/java/com/cleverthis/authservice/service/impl/KeycloakAdminReactiveClientTest.java create mode 100644 src/test/resources/application.yml diff --git a/.checkstyle b/.checkstyle deleted file mode 100644 index d696148..0000000 --- a/.checkstyle +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - - - - - - - - - diff --git a/.forgejo/workflows/coverage-check.yaml b/.forgejo/workflows/coverage-check.yaml index 0681c8a..ecf8b44 100644 --- a/.forgejo/workflows/coverage-check.yaml +++ b/.forgejo/workflows/coverage-check.yaml @@ -31,20 +31,24 @@ jobs: # need to setup node and git - run: | apt-get update - apt-get install -y nodejs git curl maven + apt-get install -y nodejs git curl # check out code - uses: actions/checkout@v4 - uses: https://github.com/actions/setup-java@v4 with: distribution: "temurin" java-version: "21" + # ensure executable + - run: chmod +x ./gradlew # run gradle test - - run: mvn clean test jacoco:report + - run: ./gradlew check --no-daemon + env: + MAVEN_TOKEN: ${{ secrets.REGISTRY_PASSWORD }} # process jacoco report - name: Collect coverage report id: coverage run: | - INPUT=$(grep -o ']*>' target/site/jacoco/jacoco.xml | tail -1) + INPUT=$(grep -o ']*>' build/reports/jacoco/test/jacocoTestReport.xml | tail -1) MISSED=$(echo "$INPUT" | sed -n 's/.*missed="\([0-9]*\)".*/\1/p') COVERED=$(echo "$INPUT" | sed -n 's/.*covered="\([0-9]*\)".*/\1/p') echo "MISSED: $MISSED" diff --git a/.forgejo/workflows/publish-docker.yaml b/.forgejo/workflows/publish-docker.yaml index e139111..c7151aa 100644 --- a/.forgejo/workflows/publish-docker.yaml +++ b/.forgejo/workflows/publish-docker.yaml @@ -51,6 +51,15 @@ jobs: with: distribution: "temurin" java-version: "21" + # ensure executable + - run: chmod +x ./gradlew + # run gradle test and build + # disabled since gradle doesn't require maven token anymore +# - run: | +# ./gradlew check +# ./gradlew bootJar +# env: +# MAVEN_TOKEN: ${{ secrets.REGISTRY_PASSWORD }} # setup docker - name: set up docker cli run: | @@ -74,6 +83,7 @@ jobs: uses: docker/build-push-action@v6 with: context: . +# file: ci.Dockerfile file: Dockerfile push: true tags: | diff --git a/.gitignore b/.gitignore index d94278b..63d2f1a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,50 +1,36 @@ -# Useful examples -# https://github.com/github/gitignore +.gradle +build/ +!gradle/wrapper/gradle-wrapper.jar +!**/src/main/**/build/ +!**/src/test/**/build/ -# OS X -*.DS_Store - -# Java -*.jar -*.war -*.ear - -# C/C++ -*.so -*.dylib -*.dSYM -*.dll -*.jnilib - -# Mobile Tools for Java (J2ME) -.mtj.tmp/ - -# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml -hs_err_pid* - -# Directories -**/bin/ -**/classes/ -**/dist/ -**/include/ -**/nbproject/ -/.libs/ -/findbugs/ -/target/ - -#intellij -.idea/ -*.iml - -#logs -*.log - -#project specific -/src/genjava - -#Eclipse che -.che/ +### STS ### +.apt_generated .classpath +.factorypath .project -.settings/ +.settings +.springBeans +.sts4-cache +bin/ +!**/src/main/**/bin/ +!**/src/test/**/bin/ +### IntelliJ IDEA ### +.idea +*.iws +*.iml +*.ipr +out/ +!**/src/main/**/out/ +!**/src/test/**/out/ + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ + +### VS Code ### +.vscode/ diff --git a/Dockerfile b/Dockerfile index ebe212c..49de41b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,11 @@ -FROM maven:3 AS build +FROM gradle:jdk21 AS build WORKDIR /code COPY . /code -RUN mvn clean package spring-boot:repackage +RUN gradle bootJar --no-daemon FROM azul/zulu-openjdk:21-latest EXPOSE 8099 WORKDIR /app -COPY --from=build /code/target/*.jar /app/app.jar +COPY --from=build /code/build/libs/*.jar /app/app.jar ENTRYPOINT ["java", "-jar", "/app/app.jar"] \ No newline at end of file diff --git a/build.gradle.kts b/build.gradle.kts new file mode 100644 index 0000000..68ec74c --- /dev/null +++ b/build.gradle.kts @@ -0,0 +1,128 @@ +plugins { + java + id("org.springframework.boot") version "3.5.3" + id("io.spring.dependency-management") version "1.1.7" + jacoco + checkstyle + idea +} + +group = "com.cleverthis.clevermicro" +version = "0.0.1-SNAPSHOT" + +java { + toolchain { + languageVersion = JavaLanguageVersion.of(21) + } +} + +configurations { + compileOnly { + extendsFrom(configurations.annotationProcessor.get()) + } +} + +configurations.all { + // disable the cache, so it will fetch the latest snapshot for client api + resolutionStrategy.cacheChangingModulesFor(30, TimeUnit.SECONDS) + resolutionStrategy.cacheDynamicVersionsFor(30, TimeUnit.SECONDS) +} + +repositories { + mavenCentral() + maven { + name = "cleverthis-forgejo-maven" + url = uri("https://git.cleverthis.com/api/packages/clevermicro/maven") + // disable auth since artifacts are publicly available +// if (System.getenv("MAVEN_TOKEN").isNullOrBlank()) { +// credentials(HttpHeaderCredentials::class) { +// name = "Authorization" +// val token = +// findProperty("cleverThisForgejoToken") as String? ?: error("Token not found") +// value = "token $token" +// } +// } else { +// credentials(HttpHeaderCredentials::class) { +// name = "Authorization" +// val token = System.getenv("MAVEN_TOKEN") +// value = "token $token" +// } +// } +// authentication { +// create("header", HttpHeaderAuthentication::class) +// } + } +} + +extra["springCloudVersion"] = "2025.0.0" + +dependencyManagement { + imports { + mavenBom("org.springframework.cloud:spring-cloud-dependencies:${property("springCloudVersion")}") + } +} + +// https://javadoc.io/doc/org.mockito/mockito-core/latest/org.mockito/org/mockito/Mockito.html#0.3 +val mockitoAgent = configurations.create("mockitoAgent") +dependencies { + implementation("org.springframework.boot:spring-boot-starter-actuator") + implementation("org.springframework.boot:spring-boot-starter-validation") + implementation("org.springframework.boot:spring-boot-starter-webflux") + implementation("org.springframework.cloud:spring-cloud-starter-consul-config") + compileOnly("org.projectlombok:lombok") + annotationProcessor("org.projectlombok:lombok") + runtimeOnly("io.micrometer:micrometer-registry-prometheus") + + // clevermicro + implementation("com.cleverthis.clevermicro:core:0.2.0-SNAPSHOT") + + // keycloak admin client + implementation("org.keycloak:keycloak-admin-client:26.0.6") + + // opentelemetry + implementation(platform("io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom:2.11.0")) + implementation("io.opentelemetry.instrumentation:opentelemetry-spring-boot-starter") + + testImplementation("org.springframework.boot:spring-boot-starter-test") + testImplementation("io.projectreactor:reactor-test") + testRuntimeOnly("org.junit.platform:junit-platform-launcher") + testImplementation("com.squareup.okhttp3:mockwebserver:4.12.0") + mockitoAgent("org.mockito:mockito-core") { isTransitive = false } +} + +tasks.withType { + jvmArgs("-javaagent:${mockitoAgent.asPath}") + useJUnitPlatform() + // generate jacoco test report + finalizedBy("jacocoTestReport") + // show full output streams so we can debug for pipelines + testLogging { + showStandardStreams = true + } +} + +tasks.jacocoTestReport { + dependsOn(tasks.test) + reports { + xml.required.set(true) + html.required.set(true) + } +} + +checkstyle { + toolVersion = "10.23.1" + configFile = file("${project.rootDir}/checkstyle.xml") + isShowViolations = true + isIgnoreFailures = false + maxWarnings = 0 + maxErrors = 0 + + sourceSets = setOf(project.sourceSets["main"]) +} + +idea { // tell IDEA to always download source code and javadoc + module { + isDownloadJavadoc = true + isDownloadSources = true + } +} diff --git a/ci.Dockerfile b/ci.Dockerfile new file mode 100644 index 0000000..bcaa474 --- /dev/null +++ b/ci.Dockerfile @@ -0,0 +1,5 @@ +FROM azul/zulu-openjdk:21-latest +EXPOSE 8099 +WORKDIR /app +COPY build/libs/*.jar /app/app.jar +ENTRYPOINT ["java", "-jar", "/app/app.jar"] \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000000000000000000000000000000000000..1b33c55baabb587c669f562ae36f953de2481846 GIT binary patch literal 43764 zcma&OWmKeVvL#I6?i3D%6z=Zs?ofE*?rw#G$eqJB ziT4y8-Y@s9rkH0Tz>ll(^xkcTl)CY?rS&9VNd66Yc)g^6)JcWaY(5$5gt z8gr3SBXUTN;~cBgz&})qX%#!Fxom2Yau_`&8)+6aSN7YY+pS410rRUU*>J}qL0TnJ zRxt*7QeUqTh8j)Q&iavh<}L+$Jqz))<`IfKussVk%%Ah-Ti?Eo0hQH!rK%K=#EAw0 zwq@@~XNUXRnv8$;zv<6rCRJ6fPD^hfrh;0K?n z=p!u^3xOgWZ%f3+?+>H)9+w^$Tn1e;?UpVMJb!!;f)`6f&4|8mr+g)^@x>_rvnL0< zvD0Hu_N>$(Li7|Jgu0mRh&MV+<}`~Wi*+avM01E)Jtg=)-vViQKax!GeDc!xv$^mL z{#OVBA$U{(Zr8~Xm|cP@odkHC*1R8z6hcLY#N@3E-A8XEvpt066+3t9L_6Zg6j@9Q zj$$%~yO-OS6PUVrM2s)(T4#6=JpI_@Uz+!6=GdyVU?`!F=d;8#ZB@(5g7$A0(`eqY z8_i@3w$0*es5mrSjhW*qzrl!_LQWs4?VfLmo1Sd@Ztt53+etwzAT^8ow_*7Jp`Y|l z*UgSEwvxq+FYO!O*aLf-PinZYne7Ib6ny3u>MjQz=((r3NTEeU4=-i0LBq3H-VJH< z^>1RE3_JwrclUn9vb7HcGUaFRA0QHcnE;6)hnkp%lY1UII#WPAv?-;c?YH}LWB8Nl z{sx-@Z;QxWh9fX8SxLZk8;kMFlGD3Jc^QZVL4nO)1I$zQwvwM&_!kW+LMf&lApv#< zur|EyC|U@5OQuph$TC_ZU`{!vJp`13e9alaR0Dbn5ikLFH7>eIz4QbV|C=%7)F=qo z_>M&5N)d)7G(A%c>}UCrW!Ql_6_A{?R7&CL`;!KOb3 z8Z=$YkV-IF;c7zs{3-WDEFJzuakFbd*4LWd<_kBE8~BFcv}js_2OowRNzWCtCQ6&k z{&~Me92$m*@e0ANcWKuz)?YjB*VoSTx??-3Cc0l2U!X^;Bv@m87eKHukAljrD54R+ zE;@_w4NPe1>3`i5Qy*3^E9x#VB6?}v=~qIprrrd5|DFkg;v5ixo0IsBmik8=Y;zv2 z%Bcf%NE$a44bk^`i4VwDLTbX=q@j9;JWT9JncQ!+Y%2&HHk@1~*L8-{ZpY?(-a9J-1~<1ltr9i~D9`P{XTIFWA6IG8c4;6bFw*lzU-{+?b&%OcIoCiw00n>A1ra zFPE$y@>ebbZlf(sN_iWBzQKDV zmmaLX#zK!@ZdvCANfwV}9@2O&w)!5gSgQzHdk2Q`jG6KD7S+1R5&F)j6QTD^=hq&7 zHUW+r^da^%V(h(wonR(j?BOiC!;y=%nJvz?*aW&5E87qq;2z`EI(f zBJNNSMFF9U{sR-af5{IY&AtoGcoG)Iq-S^v{7+t0>7N(KRoPj;+2N5;9o_nxIGjJ@ z7bYQK)bX)vEhy~VL%N6g^NE@D5VtV+Q8U2%{ji_=6+i^G%xeskEhH>Sqr194PJ$fB zu1y^){?9Vkg(FY2h)3ZHrw0Z<@;(gd_dtF#6y_;Iwi{yX$?asr?0N0_B*CifEi7<6 zq`?OdQjCYbhVcg+7MSgIM|pJRu~`g?g3x?Tl+V}#$It`iD1j+!x+!;wS0+2e>#g?Z z*EA^k7W{jO1r^K~cD#5pamp+o@8&yw6;%b|uiT?{Wa=4+9<}aXWUuL#ZwN1a;lQod zW{pxWCYGXdEq9qAmvAB904}?97=re$>!I%wxPV#|f#@A*Y=qa%zHlDv^yWbR03%V0 zprLP+b(#fBqxI%FiF*-n8HtH6$8f(P6!H3V^ysgd8de-N(@|K!A< z^qP}jp(RaM9kQ(^K(U8O84?D)aU(g?1S8iWwe)gqpHCaFlJxb*ilr{KTnu4_@5{K- z)n=CCeCrPHO0WHz)dDtkbZfUfVBd?53}K>C5*-wC4hpDN8cGk3lu-ypq+EYpb_2H; z%vP4@&+c2p;thaTs$dc^1CDGlPG@A;yGR5@$UEqk6p58qpw#7lc<+W(WR;(vr(D>W z#(K$vE#uBkT=*q&uaZwzz=P5mjiee6>!lV?c}QIX%ZdkO1dHg>Fa#xcGT6~}1*2m9 zkc7l3ItD6Ie~o_aFjI$Ri=C!8uF4!Ky7iG9QTrxVbsQroi|r)SAon#*B*{}TB-?=@ z8~jJs;_R2iDd!$+n$%X6FO&PYS{YhDAS+U2o4su9x~1+U3z7YN5o0qUK&|g^klZ6X zj_vrM5SUTnz5`*}Hyts9ADwLu#x_L=nv$Z0`HqN`Zo=V>OQI)fh01n~*a%01%cx%0 z4LTFVjmW+ipVQv5rYcn3;d2o4qunWUY!p+?s~X~(ost@WR@r@EuDOSs8*MT4fiP>! zkfo^!PWJJ1MHgKS2D_hc?Bs?isSDO61>ebl$U*9*QY(b=i&rp3@3GV@z>KzcZOxip z^dzA~44;R~cnhWz7s$$v?_8y-k!DZys}Q?4IkSyR!)C0j$(Gm|t#e3|QAOFaV2}36 z?dPNY;@I=FaCwylc_;~kXlZsk$_eLkNb~TIl8QQ`mmH&$*zwwR8zHU*sId)rxHu*K z;yZWa8UmCwju%aSNLwD5fBl^b0Ux1%q8YR*uG`53Mi<`5uA^Dc6Ync)J3N7;zQ*75)hf%a@{$H+%S?SGT)ks60)?6j$ zspl|4Ad6@%-r1t*$tT(en!gIXTUDcsj?28ZEzz)dH)SV3bZ+pjMaW0oc~rOPZP@g! zb9E+ndeVO_Ib9c_>{)`01^`ZS198 z)(t=+{Azi11$eu%aU7jbwuQrO`vLOixuh~%4z@mKr_Oc;F%Uq01fA)^W&y+g16e?rkLhTxV!EqC%2}sx_1u7IBq|}Be&7WI z4I<;1-9tJsI&pQIhj>FPkQV9{(m!wYYV@i5h?A0#BN2wqlEwNDIq06|^2oYVa7<~h zI_OLan0Do*4R5P=a3H9`s5*>xU}_PSztg`+2mv)|3nIy=5#Z$%+@tZnr> zLcTI!Mxa`PY7%{;KW~!=;*t)R_sl<^b>eNO@w#fEt(tPMg_jpJpW$q_DoUlkY|uo> z0-1{ouA#;t%spf*7VjkK&$QrvwUERKt^Sdo)5@?qAP)>}Y!h4(JQ!7{wIdkA+|)bv z&8hBwoX4v|+fie}iTslaBX^i*TjwO}f{V)8*!dMmRPi%XAWc8<_IqK1jUsApk)+~R zNFTCD-h>M5Y{qTQ&0#j@I@tmXGj%rzhTW5%Bkh&sSc=$Fv;M@1y!zvYG5P2(2|(&W zlcbR1{--rJ&s!rB{G-sX5^PaM@3EqWVz_y9cwLR9xMig&9gq(voeI)W&{d6j1jh&< zARXi&APWE1FQWh7eoZjuP z;vdgX>zep^{{2%hem;e*gDJhK1Hj12nBLIJoL<=0+8SVEBx7!4Ea+hBY;A1gBwvY<)tj~T=H`^?3>zeWWm|LAwo*S4Z%bDVUe z6r)CH1H!(>OH#MXFJ2V(U(qxD{4Px2`8qfFLG+=a;B^~Te_Z!r3RO%Oc#ZAHKQxV5 zRYXxZ9T2A%NVJIu5Pu7!Mj>t%YDO$T@M=RR(~mi%sv(YXVl`yMLD;+WZ{vG9(@P#e zMo}ZiK^7^h6TV%cG+;jhJ0s>h&VERs=tuZz^Tlu~%d{ZHtq6hX$V9h)Bw|jVCMudd zwZ5l7In8NT)qEPGF$VSKg&fb0%R2RnUnqa){)V(X(s0U zkCdVZe6wy{+_WhZh3qLp245Y2RR$@g-!9PjJ&4~0cFSHMUn=>dapv)hy}|y91ZWTV zCh=z*!S3_?`$&-eZ6xIXUq8RGl9oK0BJw*TdU6A`LJqX9eS3X@F)g$jLkBWFscPhR zpCv8#KeAc^y>>Y$k^=r|K(DTC}T$0#jQBOwB#@`P6~*IuW_8JxCG}J4va{ zsZzt}tt+cv7=l&CEuVtjD6G2~_Meh%p4RGuY?hSt?(sreO_F}8r7Kp$qQdvCdZnDQ zxzc*qchE*E2=WK)^oRNa>Ttj`fpvF-JZ5tu5>X1xw)J@1!IqWjq)ESBG?J|ez`-Tc zi5a}GZx|w-h%5lNDE_3ho0hEXMoaofo#Z;$8|2;EDF&*L+e$u}K=u?pb;dv$SXeQM zD-~7P0i_`Wk$#YP$=hw3UVU+=^@Kuy$>6?~gIXx636jh{PHly_a2xNYe1l60`|y!7 z(u%;ILuW0DDJ)2%y`Zc~hOALnj1~txJtcdD#o4BCT68+8gZe`=^te6H_egxY#nZH&P*)hgYaoJ^qtmpeea`35Fw)cy!w@c#v6E29co8&D9CTCl%^GV|X;SpneSXzV~LXyRn-@K0Df z{tK-nDWA!q38M1~`xUIt_(MO^R(yNY#9@es9RQbY@Ia*xHhD&=k^T+ zJi@j2I|WcgW=PuAc>hs`(&CvgjL2a9Rx zCbZyUpi8NWUOi@S%t+Su4|r&UoU|ze9SVe7p@f1GBkrjkkq)T}X%Qo1g!SQ{O{P?m z-OfGyyWta+UCXH+-+(D^%kw#A1-U;?9129at7MeCCzC{DNgO zeSqsV>W^NIfTO~4({c}KUiuoH8A*J!Cb0*sp*w-Bg@YfBIPZFH!M}C=S=S7PLLcIG zs7K77g~W)~^|+mx9onzMm0qh(f~OsDTzVmRtz=aZTllgR zGUn~_5hw_k&rll<4G=G+`^Xlnw;jNYDJz@bE?|r866F2hA9v0-8=JO3g}IHB#b`hy zA42a0>{0L7CcabSD+F7?pGbS1KMvT{@1_@k!_+Ki|5~EMGt7T%u=79F)8xEiL5!EJ zzuxQ`NBliCoJMJdwu|);zRCD<5Sf?Y>U$trQ-;xj6!s5&w=9E7)%pZ+1Nh&8nCCwM zv5>Ket%I?cxr3vVva`YeR?dGxbG@pi{H#8@kFEf0Jq6~K4>kt26*bxv=P&jyE#e$| zDJB_~imk^-z|o!2njF2hL*|7sHCnzluhJjwLQGDmC)Y9 zr9ZN`s)uCd^XDvn)VirMgW~qfn1~SaN^7vcX#K1G`==UGaDVVx$0BQnubhX|{e z^i0}>k-;BP#Szk{cFjO{2x~LjK{^Upqd&<+03_iMLp0$!6_$@TbX>8U-f*-w-ew1?`CtD_0y_Lo|PfKi52p?`5$Jzx0E8`M0 zNIb?#!K$mM4X%`Ry_yhG5k@*+n4||2!~*+&pYLh~{`~o(W|o64^NrjP?-1Lgu?iK^ zTX6u3?#$?R?N!{599vg>G8RGHw)Hx&=|g4599y}mXNpM{EPKKXB&+m?==R3GsIq?G zL5fH={=zawB(sMlDBJ+{dgb)Vx3pu>L=mDV0{r1Qs{0Pn%TpopH{m(By4;{FBvi{I z$}x!Iw~MJOL~&)p93SDIfP3x%ROjg}X{Sme#hiJ&Yk&a;iR}V|n%PriZBY8SX2*;6 z4hdb^&h;Xz%)BDACY5AUsV!($lib4>11UmcgXKWpzRL8r2Srl*9Y(1uBQsY&hO&uv znDNff0tpHlLISam?o(lOp#CmFdH<6HmA0{UwfU#Y{8M+7od8b8|B|7ZYR9f<#+V|ZSaCQvI$~es~g(Pv{2&m_rKSB2QQ zMvT}$?Ll>V+!9Xh5^iy3?UG;dF-zh~RL#++roOCsW^cZ&({6q|?Jt6`?S8=16Y{oH zp50I7r1AC1(#{b`Aq5cw>ypNggHKM9vBx!W$eYIzD!4KbLsZGr2o8>g<@inmS3*>J zx8oG((8f!ei|M@JZB`p7+n<Q}?>h249<`7xJ?u}_n;Gq(&km#1ULN87CeTO~FY zS_Ty}0TgQhV zOh3T7{{x&LSYGQfKR1PDIkP!WnfC1$l+fs@Di+d4O=eVKeF~2fq#1<8hEvpwuqcaH z4A8u~r^gnY3u6}zj*RHjk{AHhrrDqaj?|6GaVJbV%o-nATw}ASFr!f`Oz|u_QPkR# z0mDudY1dZRlk@TyQ?%Eti=$_WNFtLpSx9=S^be{wXINp%MU?a`F66LNU<c;0&ngifmP9i;bj6&hdGMW^Kf8e6ZDXbQD&$QAAMo;OQ)G zW(qlHh;}!ZP)JKEjm$VZjTs@hk&4{?@+NADuYrr!R^cJzU{kGc1yB?;7mIyAWwhbeA_l_lw-iDVi7wcFurf5 z#Uw)A@a9fOf{D}AWE%<`s1L_AwpZ?F!Vac$LYkp<#A!!`XKaDC{A%)~K#5z6>Hv@V zBEqF(D5?@6r3Pwj$^krpPDCjB+UOszqUS;b2n>&iAFcw<*im2(b3|5u6SK!n9Sg4I z0KLcwA6{Mq?p%t>aW0W!PQ>iUeYvNjdKYqII!CE7SsS&Rj)eIw-K4jtI?II+0IdGq z2WT|L3RL?;GtGgt1LWfI4Ka`9dbZXc$TMJ~8#Juv@K^1RJN@yzdLS8$AJ(>g!U9`# zx}qr7JWlU+&m)VG*Se;rGisutS%!6yybi%B`bv|9rjS(xOUIvbNz5qtvC$_JYY+c& za*3*2$RUH8p%pSq>48xR)4qsp!Q7BEiJ*`^>^6INRbC@>+2q9?x(h0bpc>GaNFi$K zPH$6!#(~{8@0QZk=)QnM#I=bDx5vTvjm$f4K}%*s+((H2>tUTf==$wqyoI`oxI7>C z&>5fe)Yg)SmT)eA(|j@JYR1M%KixxC-Eceknf-;N=jJTwKvk#@|J^&5H0c+%KxHUI z6dQbwwVx3p?X<_VRVb2fStH?HH zFR@Mp=qX%#L3XL)+$PXKV|o|#DpHAoqvj6uQKe@M-mnhCSou7Dj4YuO6^*V`m)1lf z;)@e%1!Qg$10w8uEmz{ENb$^%u}B;J7sDd zump}onoD#!l=agcBR)iG!3AF0-63%@`K9G(CzKrm$VJ{v7^O9Ps7Zej|3m= zVXlR&yW6=Y%mD30G@|tf=yC7-#L!16Q=dq&@beWgaIL40k0n% z)QHrp2Jck#evLMM1RGt3WvQ936ZC9vEje0nFMfvmOHVI+&okB_K|l-;|4vW;qk>n~ z+|kk8#`K?x`q>`(f6A${wfw9Cx(^)~tX7<#TpxR#zYG2P+FY~mG{tnEkv~d6oUQA+ z&hNTL=~Y@rF`v-RZlts$nb$3(OL1&@Y11hhL9+zUb6)SP!;CD)^GUtUpCHBE`j1te zAGud@miCVFLk$fjsrcpjsadP__yj9iEZUW{Ll7PPi<$R;m1o!&Xdl~R_v0;oDX2z^!&8}zNGA}iYG|k zmehMd1%?R)u6R#<)B)1oe9TgYH5-CqUT8N7K-A-dm3hbm_W21p%8)H{O)xUlBVb+iUR}-v5dFaCyfSd zC6Bd7=N4A@+Bna=!-l|*_(nWGDpoyU>nH=}IOrLfS+-d40&(Wo*dDB9nQiA2Tse$R z;uq{`X7LLzP)%Y9aHa4YQ%H?htkWd3Owv&UYbr5NUDAH^<l@Z0Cx%`N+B*i!!1u>D8%;Qt1$ zE5O0{-`9gdDxZ!`0m}ywH!;c{oBfL-(BH<&SQ~smbcobU!j49O^f4&IIYh~f+hK*M zZwTp%{ZSAhMFj1qFaOA+3)p^gnXH^=)`NTYgTu!CLpEV2NF=~-`(}7p^Eof=@VUbd z_9U|8qF7Rueg&$qpSSkN%%%DpbV?8E8ivu@ensI0toJ7Eas^jyFReQ1JeY9plb^{m z&eQO)qPLZQ6O;FTr*aJq=$cMN)QlQO@G&%z?BKUs1&I^`lq>=QLODwa`(mFGC`0H< zOlc*|N?B5&!U6BuJvkL?s1&nsi$*5cCv7^j_*l&$-sBmRS85UIrE--7eD8Gr3^+o? zqG-Yl4S&E;>H>k^a0GdUI(|n1`ws@)1%sq2XBdK`mqrNq_b4N{#VpouCXLzNvjoFv zo9wMQ6l0+FT+?%N(ka*;%m~(?338bu32v26!{r)|w8J`EL|t$}TA4q_FJRX5 zCPa{hc_I(7TGE#@rO-(!$1H3N-C0{R$J=yPCXCtGk{4>=*B56JdXU9cQVwB`6~cQZ zf^qK21x_d>X%dT!!)CJQ3mlHA@ z{Prkgfs6=Tz%63$6Zr8CO0Ak3A)Cv#@BVKr&aiKG7RYxY$Yx>Bj#3gJk*~Ps-jc1l z;4nltQwwT4@Z)}Pb!3xM?+EW0qEKA)sqzw~!C6wd^{03-9aGf3Jmt=}w-*!yXupLf z;)>-7uvWN4Unn8b4kfIza-X=x*e4n5pU`HtgpFFd))s$C@#d>aUl3helLom+RYb&g zI7A9GXLRZPl}iQS*d$Azxg-VgcUr*lpLnbPKUV{QI|bsG{8bLG<%CF( zMoS4pRDtLVYOWG^@ox^h8xL~afW_9DcE#^1eEC1SVSb1BfDi^@g?#f6e%v~Aw>@w- zIY0k+2lGWNV|aA*e#`U3=+oBDmGeInfcL)>*!w|*;mWiKNG6wP6AW4-4imN!W)!hE zA02~S1*@Q`fD*+qX@f3!2yJX&6FsEfPditB%TWo3=HA;T3o2IrjS@9SSxv%{{7&4_ zdS#r4OU41~GYMiib#z#O;zohNbhJknrPPZS6sN$%HB=jUnlCO_w5Gw5EeE@KV>soy z2EZ?Y|4RQDDjt5y!WBlZ(8M)|HP<0YyG|D%RqD+K#e7-##o3IZxS^wQ5{Kbzb6h(i z#(wZ|^ei>8`%ta*!2tJzwMv+IFHLF`zTU8E^Mu!R*45_=ccqI};Zbyxw@U%a#2}%f zF>q?SrUa_a4H9l+uW8JHh2Oob>NyUwG=QH~-^ZebU*R@67DcXdz2{HVB4#@edz?B< z5!rQH3O0>A&ylROO%G^fimV*LX7>!%re{_Sm6N>S{+GW1LCnGImHRoF@csnFzn@P0 zM=jld0z%oz;j=>c7mMwzq$B^2mae7NiG}%>(wtmsDXkWk{?BeMpTrIt3Mizq?vRsf zi_WjNp+61uV(%gEU-Vf0;>~vcDhe(dzWdaf#4mH3o^v{0EWhj?E?$5v02sV@xL0l4 zX0_IMFtQ44PfWBbPYN#}qxa%=J%dlR{O!KyZvk^g5s?sTNycWYPJ^FK(nl3k?z-5t z39#hKrdO7V(@!TU)LAPY&ngnZ1MzLEeEiZznn7e-jLCy8LO zu^7_#z*%I-BjS#Pg-;zKWWqX-+Ly$T!4`vTe5ZOV0j?TJVA*2?*=82^GVlZIuH%9s zXiV&(T(QGHHah=s&7e|6y?g+XxZGmK55`wGV>@1U)Th&=JTgJq>4mI&Av2C z)w+kRoj_dA!;SfTfkgMPO>7Dw6&1*Hi1q?54Yng`JO&q->^CX21^PrU^JU#CJ_qhV zSG>afB%>2fx<~g8p=P8Yzxqc}s@>>{g7}F!;lCXvF#RV)^fyYb_)iKVCz1xEq=fJ| z0a7DMCK*FuP=NM*5h;*D`R4y$6cpW-E&-i{v`x=Jbk_xSn@2T3q!3HoAOB`@5Vg6) z{PW|@9o!e;v1jZ2{=Uw6S6o{g82x6g=k!)cFSC*oemHaVjg?VpEmtUuD2_J^A~$4* z3O7HsbA6wxw{TP5Kk)(Vm?gKo+_}11vbo{Tp_5x79P~#F)ahQXT)tSH5;;14?s)On zel1J>1x>+7;g1Iz2FRpnYz;sD0wG9Q!vuzE9yKi3@4a9Nh1!GGN?hA)!mZEnnHh&i zf?#ZEN2sFbf~kV;>K3UNj1&vFhc^sxgj8FCL4v>EOYL?2uuT`0eDH}R zmtUJMxVrV5H{L53hu3#qaWLUa#5zY?f5ozIn|PkMWNP%n zWB5!B0LZB0kLw$k39=!akkE9Q>F4j+q434jB4VmslQ;$ zKiO#FZ`p|dKS716jpcvR{QJkSNfDVhr2%~eHrW;fU45>>snr*S8Vik-5eN5k*c2Mp zyxvX&_cFbB6lODXznHHT|rsURe2!swomtrqc~w5 zymTM8!w`1{04CBprR!_F{5LB+2_SOuZN{b*!J~1ZiPpP-M;);!ce!rOPDLtgR@Ie1 zPreuqm4!H)hYePcW1WZ0Fyaqe%l}F~Orr)~+;mkS&pOhP5Ebb`cnUt!X_QhP4_4p( z8YKQCDKGIy>?WIFm3-}Br2-N`T&FOi?t)$hjphB9wOhBXU#Hb+zm&We_-O)s(wc`2 z8?VsvU;J>Ju7n}uUb3s1yPx_F*|FlAi=Ge=-kN?1;`~6szP%$3B0|8Sqp%ebM)F8v zADFrbeT0cgE>M0DMV@_Ze*GHM>q}wWMzt|GYC%}r{OXRG3Ij&<+nx9;4jE${Fj_r* z`{z1AW_6Myd)i6e0E-h&m{{CvzH=Xg!&(bLYgRMO_YVd8JU7W+7MuGWNE=4@OvP9+ zxi^vqS@5%+#gf*Z@RVyU9N1sO-(rY$24LGsg1>w>s6ST^@)|D9>cT50maXLUD{Fzf zt~tp{OSTEKg3ZSQyQQ5r51){%=?xlZ54*t1;Ow)zLe3i?8tD8YyY^k%M)e`V*r+vL zPqUf&m)U+zxps+NprxMHF{QSxv}>lE{JZETNk1&F+R~bp{_T$dbXL2UGnB|hgh*p4h$clt#6;NO~>zuyY@C-MD@)JCc5XrYOt`wW7! z_ti2hhZBMJNbn0O-uTxl_b6Hm313^fG@e;RrhIUK9@# z+DHGv_Ow$%S8D%RB}`doJjJy*aOa5mGHVHz0e0>>O_%+^56?IkA5eN+L1BVCp4~m=1eeL zb;#G!#^5G%6Mw}r1KnaKsLvJB%HZL)!3OxT{k$Yo-XrJ?|7{s4!H+S2o?N|^Z z)+?IE9H7h~Vxn5hTis^3wHYuOU84+bWd)cUKuHapq=&}WV#OxHpLab`NpwHm8LmOo zjri+!k;7j_?FP##CpM+pOVx*0wExEex z@`#)K<-ZrGyArK;a%Km`^+We|eT+#MygHOT6lXBmz`8|lyZOwL1+b+?Z$0OhMEp3R z&J=iRERpv~TC=p2-BYLC*?4 zxvPs9V@g=JT0>zky5Poj=fW_M!c)Xxz1<=&_ZcL=LMZJqlnO1P^xwGGW*Z+yTBvbV z-IFe6;(k1@$1;tS>{%pXZ_7w+i?N4A2=TXnGf=YhePg8bH8M|Lk-->+w8Y+FjZ;L=wSGwxfA`gqSn)f(XNuSm>6Y z@|#e-)I(PQ^G@N`%|_DZSb4_pkaEF0!-nqY+t#pyA>{9^*I-zw4SYA1_z2Bs$XGUZbGA;VeMo%CezHK0lO={L%G)dI-+8w?r9iexdoB{?l zbJ}C?huIhWXBVs7oo{!$lOTlvCLZ_KN1N+XJGuG$rh<^eUQIqcI7^pmqhBSaOKNRq zrx~w^?9C?*&rNwP_SPYmo;J-#!G|{`$JZK7DxsM3N^8iR4vvn>E4MU&Oe1DKJvLc~ zCT>KLZ1;t@My zRj_2hI^61T&LIz)S!+AQIV23n1>ng+LUvzv;xu!4;wpqb#EZz;F)BLUzT;8UA1x*6vJ zicB!3Mj03s*kGV{g`fpC?V^s(=JG-k1EMHbkdP4P*1^8p_TqO|;!Zr%GuP$8KLxuf z=pv*H;kzd;P|2`JmBt~h6|GxdU~@weK5O=X&5~w$HpfO}@l-T7@vTCxVOwCkoPQv8 z@aV_)I5HQtfs7^X=C03zYmH4m0S!V@JINm6#(JmZRHBD?T!m^DdiZJrhKpBcur2u1 zf9e4%k$$vcFopK5!CC`;ww(CKL~}mlxK_Pv!cOsFgVkNIghA2Au@)t6;Y3*2gK=5d z?|@1a)-(sQ%uFOmJ7v2iG&l&m^u&^6DJM#XzCrF%r>{2XKyxLD2rgWBD;i(!e4InDQBDg==^z;AzT2z~OmV0!?Z z0S9pX$+E;w3WN;v&NYT=+G8hf=6w0E1$0AOr61}eOvE8W1jX%>&Mjo7&!ulawgzLH zbcb+IF(s^3aj12WSi#pzIpijJJzkP?JzRawnxmNDSUR#7!29vHULCE<3Aa#be}ie~d|!V+ z%l~s9Odo$G&fH!t!+`rUT0T9DulF!Yq&BfQWFZV1L9D($r4H(}Gnf6k3^wa7g5|Ws zj7%d`!3(0bb55yhC6@Q{?H|2os{_F%o=;-h{@Yyyn*V7?{s%Grvpe!H^kl6tF4Zf5 z{Jv1~yZ*iIWL_9C*8pBMQArfJJ0d9Df6Kl#wa}7Xa#Ef_5B7=X}DzbQXVPfCwTO@9+@;A^Ti6il_C>g?A-GFwA0#U;t4;wOm-4oS})h z5&on>NAu67O?YCQr%7XIzY%LS4bha9*e*4bU4{lGCUmO2UQ2U)QOqClLo61Kx~3dI zmV3*(P6F_Tr-oP%x!0kTnnT?Ep5j;_IQ^pTRp=e8dmJtI4YgWd0}+b2=ATkOhgpXe z;jmw+FBLE}UIs4!&HflFr4)vMFOJ19W4f2^W(=2)F%TAL)+=F>IE$=e=@j-*bFLSg z)wf|uFQu+!=N-UzSef62u0-C8Zc7 zo6@F)c+nZA{H|+~7i$DCU0pL{0Ye|fKLuV^w!0Y^tT$isu%i1Iw&N|tX3kwFKJN(M zXS`k9js66o$r)x?TWL}Kxl`wUDUpwFx(w4Yk%49;$sgVvT~n8AgfG~HUcDt1TRo^s zdla@6heJB@JV z!vK;BUMznhzGK6PVtj0)GB=zTv6)Q9Yt@l#fv7>wKovLobMV-+(8)NJmyF8R zcB|_K7=FJGGn^X@JdFaat0uhKjp3>k#^&xE_}6NYNG?kgTp>2Iu?ElUjt4~E-?`Du z?mDCS9wbuS%fU?5BU@Ijx>1HG*N?gIP+<~xE4u=>H`8o((cS5M6@_OK%jSjFHirQK zN9@~NXFx*jS{<|bgSpC|SAnA@I)+GB=2W|JJChLI_mx+-J(mSJ!b)uUom6nH0#2^(L@JBlV#t zLl?j54s`Y3vE^c_3^Hl0TGu*tw_n?@HyO@ZrENxA+^!)OvUX28gDSF*xFtQzM$A+O zCG=n#6~r|3zt=8%GuG} z<#VCZ%2?3Q(Ad#Y7GMJ~{U3>E{5e@z6+rgZLX{Cxk^p-7dip^d29;2N1_mm4QkASo z-L`GWWPCq$uCo;X_BmGIpJFBlhl<8~EG{vOD1o|X$aB9KPhWO_cKiU*$HWEgtf=fn zsO%9bp~D2c@?*K9jVN@_vhR03>M_8h!_~%aN!Cnr?s-!;U3SVfmhRwk11A^8Ns`@KeE}+ zN$H}a1U6E;*j5&~Og!xHdfK5M<~xka)x-0N)K_&e7AjMz`toDzasH+^1bZlC!n()crk9kg@$(Y{wdKvbuUd04N^8}t1iOgsKF zGa%%XWx@WoVaNC1!|&{5ZbkopFre-Lu(LCE5HWZBoE#W@er9W<>R=^oYxBvypN#x3 zq#LC8&q)GFP=5^-bpHj?LW=)-g+3_)Ylps!3^YQ{9~O9&K)xgy zMkCWaApU-MI~e^cV{Je75Qr7eF%&_H)BvfyKL=gIA>;OSq(y z052BFz3E(Prg~09>|_Z@!qj}@;8yxnw+#Ej0?Rk<y}4ghbD569B{9hSFr*^ygZ zr6j7P#gtZh6tMk6?4V$*Jgz+#&ug;yOr>=qdI#9U&^am2qoh4Jy}H2%a|#Fs{E(5r z%!ijh;VuGA6)W)cJZx+;9Bp1LMUzN~x_8lQ#D3+sL{be-Jyeo@@dv7XguJ&S5vrH` z>QxOMWn7N-T!D@1(@4>ZlL^y5>m#0!HKovs12GRav4z!>p(1~xok8+_{| z#Ae4{9#NLh#Vj2&JuIn5$d6t@__`o}umFo(n0QxUtd2GKCyE+erwXY?`cm*h&^9*8 zJ+8x6fRZI-e$CRygofIQN^dWysCxgkyr{(_oBwwSRxZora1(%(aC!5BTtj^+YuevI zx?)H#(xlALUp6QJ!=l9N__$cxBZ5p&7;qD3PsXRFVd<({Kh+mShFWJNpy`N@ab7?9 zv5=klvCJ4bx|-pvOO2-+G)6O?$&)ncA#Urze2rlBfp#htudhx-NeRnJ@u%^_bfw4o z4|{b8SkPV3b>Wera1W(+N@p9H>dc6{cnkh-sgr?e%(YkWvK+0YXVwk0=d`)}*47*B z5JGkEdVix!w7-<%r0JF~`ZMMPe;f0EQHuYHxya`puazyph*ZSb1mJAt^k4549BfS; zK7~T&lRb=W{s&t`DJ$B}s-eH1&&-wEOH1KWsKn0a(ZI+G!v&W4A*cl>qAvUv6pbUR z#(f#EKV8~hk&8oayBz4vaswc(?qw1vn`yC zZQDl2PCB-&Uu@g9ZQHhO+v(W0bNig{-k0;;`+wM@#@J)8r?qOYs#&vUna8ILxN7S{ zp1s41KnR8miQJtJtOr|+qk}wrLt+N*z#5o`TmD1)E&QD(Vh&pjZJ_J*0!8dy_ z>^=@v=J)C`x&gjqAYu`}t^S=DFCtc0MkBU2zf|69?xW`Ck~(6zLD)gSE{7n~6w8j_ zoH&~$ED2k5-yRa0!r8fMRy z;QjBYUaUnpd}mf%iVFPR%Dg9!d>g`01m~>2s))`W|5!kc+_&Y>wD@@C9%>-lE`WB0 zOIf%FVD^cj#2hCkFgi-fgzIfOi+ya)MZK@IZhHT5FVEaSbv-oDDs0W)pA0&^nM0TW zmgJmd7b1R7b0a`UwWJYZXp4AJPteYLH>@M|xZFKwm!t3D3&q~av?i)WvAKHE{RqpD{{%OhYkK?47}+}` zrR2(Iv9bhVa;cDzJ%6ntcSbx7v7J@Y4x&+eWSKZ*eR7_=CVIUSB$^lfYe@g+p|LD{ zPSpQmxx@b$%d!05|H}WzBT4_cq?@~dvy<7s&QWtieJ9)hd4)$SZz}#H2UTi$CkFWW|I)v_-NjuH!VypONC=1`A=rm_jfzQ8Fu~1r8i{q-+S_j$ z#u^t&Xnfi5tZtl@^!fUJhx@~Cg0*vXMK}D{>|$#T*+mj(J_@c{jXBF|rm4-8%Z2o! z2z0o(4%8KljCm^>6HDK!{jI7p+RAPcty_~GZ~R_+=+UzZ0qzOwD=;YeZt*?3%UGdr z`c|BPE;yUbnyARUl&XWSNJ<+uRt%!xPF&K;(l$^JcA_CMH6)FZt{>6ah$|(9$2fc~ z=CD00uHM{qv;{Zk9FR0~u|3|Eiqv9?z2#^GqylT5>6JNZwKqKBzzQpKU2_pmtD;CT zi%Ktau!Y2Tldfu&b0UgmF(SSBID)15*r08eoUe#bT_K-G4VecJL2Pa=6D1K6({zj6 za(2Z{r!FY5W^y{qZ}08+h9f>EKd&PN90f}Sc0ejf%kB4+f#T8Q1=Pj=~#pi$U zp#5rMR%W25>k?<$;$x72pkLibu1N|jX4cWjD3q^Pk3js!uK6h7!dlvw24crL|MZs_ zb%Y%?Fyp0bY0HkG^XyS76Ts*|Giw{31LR~+WU5NejqfPr73Rp!xQ1mLgq@mdWncLy z%8}|nzS4P&`^;zAR-&nm5f;D-%yNQPwq4N7&yULM8bkttkD)hVU>h>t47`{8?n2&4 zjEfL}UEagLUYwdx0sB2QXGeRmL?sZ%J!XM`$@ODc2!y|2#7hys=b$LrGbvvjx`Iqi z&RDDm3YBrlKhl`O@%%&rhLWZ*ABFz2nHu7k~3@e4)kO3%$=?GEFUcCF=6-1n!x^vmu+Ai*amgXH+Rknl6U>#9w;A} zn2xanZSDu`4%%x}+~FG{Wbi1jo@wqBc5(5Xl~d0KW(^Iu(U3>WB@-(&vn_PJt9{1`e9Iic@+{VPc`vP776L*viP{wYB2Iff8hB%E3|o zGMOu)tJX!`qJ}ZPzq7>=`*9TmETN7xwU;^AmFZ-ckZjV5B2T09pYliaqGFY|X#E-8 z20b>y?(r-Fn5*WZ-GsK}4WM>@TTqsxvSYWL6>18q8Q`~JO1{vLND2wg@58OaU!EvT z1|o+f1mVXz2EKAbL!Q=QWQKDZpV|jznuJ}@-)1&cdo z^&~b4Mx{*1gurlH;Vhk5g_cM&6LOHS2 zRkLfO#HabR1JD4Vc2t828dCUG#DL}f5QDSBg?o)IYYi@_xVwR2w_ntlpAW0NWk$F1 z$If?*lP&Ka1oWfl!)1c3fl`g*lMW3JOn#)R1+tfwrs`aiFUgz3;XIJ>{QFxLCkK30 zNS-)#DON3yb!7LBHQJ$)4y%TN82DC2-9tOIqzhZ27@WY^<6}vXCWcR5iN{LN8{0u9 zNXayqD=G|e?O^*ms*4P?G%o@J1tN9_76e}E#66mr89%W_&w4n66~R;X_vWD(oArwj z4CpY`)_mH2FvDuxgT+akffhX0b_slJJ*?Jn3O3~moqu2Fs1oL*>7m=oVek2bnprnW zixkaIFU%+3XhNA@@9hyhFwqsH2bM|`P?G>i<-gy>NflhrN{$9?LZ1ynSE_Mj0rADF zhOz4FnK}wpLmQuV zgO4_Oz9GBu_NN>cPLA=`SP^$gxAnj;WjJnBi%Q1zg`*^cG;Q)#3Gv@c^j6L{arv>- zAW%8WrSAVY1sj$=umcAf#ZgC8UGZGoamK}hR7j6}i8#np8ruUlvgQ$j+AQglFsQQq zOjyHf22pxh9+h#n$21&$h?2uq0>C9P?P=Juw0|;oE~c$H{#RGfa>| zj)Iv&uOnaf@foiBJ}_;zyPHcZt1U~nOcNB{)og8Btv+;f@PIT*xz$x!G?u0Di$lo7 zOugtQ$Wx|C($fyJTZE1JvR~i7LP{ zbdIwqYghQAJi9p}V&$=*2Azev$6K@pyblphgpv8^9bN!?V}{BkC!o#bl&AP!3DAjM zmWFsvn2fKWCfjcAQmE+=c3Y7j@#7|{;;0f~PIodmq*;W9Fiak|gil6$w3%b_Pr6K_ zJEG@&!J%DgBZJDCMn^7mk`JV0&l07Bt`1ymM|;a)MOWz*bh2#d{i?SDe9IcHs7 zjCrnyQ*Y5GzIt}>`bD91o#~5H?4_nckAgotN{2%!?wsSl|LVmJht$uhGa+HiH>;av z8c?mcMYM7;mvWr6noUR{)gE!=i7cZUY7e;HXa221KkRoc2UB>s$Y(k%NzTSEr>W(u z<(4mcc)4rB_&bPzX*1?*ra%VF}P1nwiP5cykJ&W{!OTlz&Td0pOkVp+wc z@k=-Hg=()hNg=Q!Ub%`BONH{ z_=ZFgetj@)NvppAK2>8r!KAgi>#%*7;O-o9MOOfQjV-n@BX6;Xw;I`%HBkk20v`qoVd0)}L6_49y1IhR z_OS}+eto}OPVRn*?UHC{eGyFU7JkPz!+gX4P>?h3QOwGS63fv4D1*no^6PveUeE5% zlehjv_3_^j^C({a2&RSoVlOn71D8WwMu9@Nb@=E_>1R*ve3`#TF(NA0?d9IR_tm=P zOP-x;gS*vtyE1Cm zG0L?2nRUFj#aLr-R1fX*$sXhad)~xdA*=hF3zPZhha<2O$Ps+F07w*3#MTe?)T8|A!P!v+a|ot{|^$q(TX`35O{WI0RbU zCj?hgOv=Z)xV?F`@HKI11IKtT^ocP78cqHU!YS@cHI@{fPD?YXL)?sD~9thOAv4JM|K8OlQhPXgnevF=F7GKD2#sZW*d za}ma31wLm81IZxX(W#A9mBvLZr|PoLnP>S4BhpK8{YV_}C|p<)4#yO{#ISbco92^3 zv&kCE(q9Wi;9%7>>PQ!zSkM%qqqLZW7O`VXvcj;WcJ`2~v?ZTYB@$Q&^CTfvy?1r^ z;Cdi+PTtmQwHX_7Kz?r#1>D zS5lWU(Mw_$B&`ZPmqxpIvK<~fbXq?x20k1~9az-Q!uR78mCgRj*eQ>zh3c$W}>^+w^dIr-u{@s30J=)1zF8?Wn|H`GS<=>Om|DjzC{}Jt?{!fSJe*@$H zg>wFnlT)k#T?LslW zu$^7Uy~$SQ21cE?3Ijl+bLfuH^U5P^$@~*UY#|_`uvAIe(+wD2eF}z_y!pvomuVO; zS^9fbdv)pcm-B@CW|Upm<7s|0+$@@<&*>$a{aW+oJ%f+VMO<#wa)7n|JL5egEgoBv zl$BY(NQjE0#*nv=!kMnp&{2Le#30b)Ql2e!VkPLK*+{jv77H7)xG7&=aPHL7LK9ER z5lfHxBI5O{-3S?GU4X6$yVk>lFn;ApnwZybdC-GAvaznGW-lScIls-P?Km2mF>%B2 zkcrXTk+__hj-3f48U%|jX9*|Ps41U_cd>2QW81Lz9}%`mTDIhE)jYI$q$ma7Y-`>% z8=u+Oftgcj%~TU}3nP8&h7k+}$D-CCgS~wtWvM|UU77r^pUw3YCV80Ou*+bH0!mf0 zxzUq4ed6y>oYFz7+l18PGGzhB^pqSt)si=9M>~0(Bx9*5r~W7sa#w+_1TSj3Jn9mW zMuG9BxN=}4645Cpa#SVKjFst;9UUY@O<|wpnZk$kE+to^4!?0@?Cwr3(>!NjYbu?x z1!U-?0_O?k!NdM^-rIQ8p)%?M+2xkhltt*|l=%z2WFJhme7*2xD~@zk#`dQR$6Lmd zb3LOD4fdt$Cq>?1<%&Y^wTWX=eHQ49Xl_lFUA(YQYHGHhd}@!VpYHHm=(1-O=yfK#kKe|2Xc*9}?BDFN zD7FJM-AjVi)T~OG)hpSWqH>vlb41V#^G2B_EvYlWhDB{Z;Q9-0)ja(O+By`31=biA zG&Fs#5!%_mHi|E4Nm$;vVQ!*>=_F;ZC=1DTPB#CICS5fL2T3XmzyHu?bI;m7D4@#; ztr~;dGYwb?m^VebuULtS4lkC_7>KCS)F@)0OdxZIFZp@FM_pHnJes8YOvwB|++#G( z&dm*OP^cz95Wi15vh`Q+yB>R{8zqEhz5of>Po$9LNE{xS<)lg2*roP*sQ}3r3t<}; zPbDl{lk{pox~2(XY5=qg0z!W-x^PJ`VVtz$git7?)!h>`91&&hESZy1KCJ2nS^yMH z!=Q$eTyRi68rKxdDsdt+%J_&lapa{ds^HV9Ngp^YDvtq&-Xp}60B_w@Ma>_1TTC;^ zpbe!#gH}#fFLkNo#|`jcn?5LeUYto%==XBk6Ik0kc4$6Z+L3x^4=M6OI1=z5u#M%0 z0E`kevJEpJjvvN>+g`?gtnbo$@p4VumliZV3Z%CfXXB&wPS^5C+7of2tyVkMwNWBiTE2 z8CdPu3i{*vR-I(NY5syRR}I1TJOV@DJy-Xmvxn^IInF>Tx2e)eE9jVSz69$6T`M9-&om!T+I znia!ZWJRB28o_srWlAxtz4VVft8)cYloIoVF=pL zugnk@vFLXQ_^7;%hn9x;Vq?lzg7%CQR^c#S)Oc-8d=q_!2ZVH764V z!wDKSgP}BrVV6SfCLZnYe-7f;igDs9t+K*rbMAKsp9L$Kh<6Z;e7;xxced zn=FGY<}CUz31a2G}$Q(`_r~75PzM4l_({Hg&b@d8&jC}B?2<+ed`f#qMEWi z`gm!STV9E4sLaQX+sp5Nu9*;9g12naf5?=P9p@H@f}dxYprH+3ju)uDFt^V{G0APn zS;16Dk{*fm6&BCg#2vo?7cbkkI4R`S9SSEJ=#KBk3rl69SxnCnS#{*$!^T9UUmO#&XXKjHKBqLdt^3yVvu8yn|{ zZ#%1CP)8t-PAz(+_g?xyq;C2<9<5Yy<~C74Iw(y>uUL$+$mp(DRcCWbCKiGCZw@?_ zdomfp+C5xt;j5L@VfhF*xvZdXwA5pcdsG>G<8II-|1dhAgzS&KArcb0BD4ZZ#WfiEY{hkCq5%z9@f|!EwTm;UEjKJsUo696V>h zy##eXYX}GUu%t{Gql8vVZKkNhQeQ4C%n|RmxL4ee5$cgwlU+?V7a?(jI#&3wid+Kz5+x^G!bb#$q>QpR#BZ}Xo5UW^ zD&I`;?(a}Oys7-`I^|AkN?{XLZNa{@27Dv^s4pGowuyhHuXc zuctKG2x0{WCvg_sGN^n9myJ}&FXyGmUQnW7fR$=bj$AHR88-q$D!*8MNB{YvTTEyS zn22f@WMdvg5~o_2wkjItJN@?mDZ9UUlat2zCh(zVE=dGi$rjXF7&}*sxac^%HFD`Y zTM5D3u5x**{bW!68DL1A!s&$2XG@ytB~dX-?BF9U@XZABO`a|LM1X3HWCllgl0+uL z04S*PX$%|^WAq%jkzp~%9HyYIF{Ym?k)j3nMwPZ=hlCg9!G+t>tf0o|J2%t1 ztC+`((dUplgm3`+0JN~}&FRRJ3?l*>Y&TfjS>!ShS`*MwO{WIbAZR#<%M|4c4^dY8 z{Rh;-!qhY=dz5JthbWoovLY~jNaw>%tS4gHVlt5epV8ekXm#==Po$)}mh^u*cE>q7*kvX&gq)(AHoItMYH6^s6f(deNw%}1=7O~bTHSj1rm2|Cq+3M z93djjdomWCTCYu!3Slx2bZVy#CWDozNedIHbqa|otsUl+ut?>a;}OqPfQA05Yim_2 zs@^BjPoFHOYNc6VbNaR5QZfSMh2S*`BGwcHMM(1@w{-4jVqE8Eu0Bi%d!E*^Rj?cR z7qgxkINXZR)K^=fh{pc0DCKtrydVbVILI>@Y0!Jm>x-xM!gu%dehm?cC6ok_msDVA*J#{75%4IZt}X|tIVPReZS#aCvuHkZxc zHVMtUhT(wp09+w9j9eRqz~LtuSNi2rQx_QgQ(}jBt7NqyT&ma61ldD(s9x%@q~PQl zp6N*?=N$BtvjQ_xIT{+vhb1>{pM0Arde0!X-y))A4znDrVx8yrP3B1(7bKPE5jR@5 zwpzwT4cu~_qUG#zYMZ_!2Tkl9zP>M%cy>9Y(@&VoB84#%>amTAH{(hL4cDYt!^{8L z645F>BWO6QaFJ-{C-i|-d%j7#&7)$X7pv#%9J6da#9FB5KyDhkA+~)G0^87!^}AP>XaCSScr;kL;Z%RSPD2CgoJ;gpYT5&6NUK$86$T?jRH=w8nI9Z534O?5fk{kd z`(-t$8W|#$3>xoMfXvV^-A(Q~$8SKDE^!T;J+rQXP71XZ(kCCbP%bAQ1|%$%Ov9_a zyC`QP3uPvFoBqr_+$HenHklqyIr>PU_Fk5$2C+0eYy^~7U&(!B&&P2%7#mBUhM!z> z_B$Ko?{Pf6?)gpYs~N*y%-3!1>o-4;@1Zz9VQHh)j5U1aL-Hyu@1d?X;jtDBNk*vMXPn@ z+u@wxHN*{uHR!*g*4Xo&w;5A+=Pf9w#PeZ^x@UD?iQ&${K2c}UQgLRik-rKM#Y5rdDphdcNTF~cCX&9ViRP}`>L)QA4zNXeG)KXFzSDa6 zd^St;inY6J_i=5mcGTx4_^Ys`M3l%Q==f>{8S1LEHn{y(kbxn5g1ezt4CELqy)~TV6{;VW>O9?5^ ztcoxHRa0jQY7>wwHWcxA-BCwzsP>63Kt&3fy*n#Cha687CQurXaRQnf5wc9o8v7Rw zNwGr2fac;Wr-Ldehn7tF^(-gPJwPt@VR1f;AmKgxN&YPL;j=0^xKM{!wuU|^mh3NE zy35quf}MeL!PU;|{OW_x$TBothLylT-J>_x6p}B_jW1L>k)ps6n%7Rh z96mPkJIM0QFNYUM2H}YF5bs%@Chs6#pEnloQhEl?J-)es!(SoJpEPoMTdgA14-#mC zghayD-DJWtUu`TD8?4mR)w5E`^EHbsz2EjH5aQLYRcF{l7_Q5?CEEvzDo(zjh|BKg z3aJl_n#j&eFHsUw4~lxqnr!6NL*se)6H=A+T1e3xUJGQrd}oSPwSy5+$tt{2t5J5@(lFxl43amsARG74iyNC}uuS zd2$=(r6RdamdGx^eatX@F2D8?U23tDpR+Os?0Gq2&^dF+$9wiWf?=mDWfjo4LfRwL zI#SRV9iSz>XCSgEj!cW&9H-njJopYiYuq|2w<5R2!nZ27DyvU4UDrHpoNQZiGPkp@ z1$h4H46Zn~eqdj$pWrv;*t!rTYTfZ1_bdkZmVVIRC21YeU$iS-*XMNK`#p8Z_DJx| zk3Jssf^XP7v0X?MWFO{rACltn$^~q(M9rMYoVxG$15N;nP)A98k^m3CJx8>6}NrUd@wp-E#$Q0uUDQT5GoiK_R{ z<{`g;8s>UFLpbga#DAf%qbfi`WN1J@6IA~R!YBT}qp%V-j!ybkR{uY0X|x)gmzE0J z&)=eHPjBxJvrZSOmt|)hC+kIMI;qgOnuL3mbNR0g^<%|>9x7>{}>a2qYSZAGPt4it?8 zNcLc!Gy0>$jaU?}ZWxK78hbhzE+etM`67*-*x4DN>1_&{@5t7_c*n(qz>&K{Y?10s zXsw2&nQev#SUSd|D8w7ZD2>E<%g^; zV{yE_O}gq?Q|zL|jdqB^zcx7vo(^})QW?QKacx$yR zhG|XH|8$vDZNIfuxr-sYFR{^csEI*IM#_gd;9*C+SysUFejP0{{z7@P?1+&_o6=7V|EJLQun^XEMS)w(=@eMi5&bbH*a0f;iC~2J74V2DZIlLUHD&>mlug5+v z6xBN~8-ovZylyH&gG#ptYsNlT?-tzOh%V#Y33zlsJ{AIju`CjIgf$@gr8}JugRq^c zAVQ3;&uGaVlVw}SUSWnTkH_6DISN&k2QLMBe9YU=sA+WiX@z)FoSYX`^k@B!j;ZeC zf&**P?HQG6Rk98hZ*ozn6iS-dG}V>jQhb3?4NJB*2F?6N7Nd;EOOo;xR7acylLaLy z9)^lykX39d@8@I~iEVar4jmjjLWhR0d=EB@%I;FZM$rykBNN~jf>#WbH4U{MqhhF6 zU??@fSO~4EbU4MaeQ_UXQcFyO*Rae|VAPLYMJEU`Q_Q_%s2*>$#S^)&7er+&`9L=1 z4q4ao07Z2Vsa%(nP!kJ590YmvrWg+YrgXYs_lv&B5EcoD`%uL79WyYA$0>>qi6ov7 z%`ia~J^_l{p39EY zv>>b}Qs8vxsu&WcXEt8B#FD%L%ZpcVtY!rqVTHe;$p9rbb5O{^rFMB>auLn-^;s+-&P1#h~mf~YLg$8M9 zZ4#87;e-Y6x6QO<{McUzhy(%*6| z)`D~A(TJ$>+0H+mct(jfgL4x%^oC^T#u(bL)`E2tBI#V1kSikAWmOOYrO~#-cc_8! zCe|@1&mN2{*ceeiBldHCdrURk4>V}79_*TVP3aCyV*5n@jiNbOm+~EQ_}1#->_tI@ zqXv+jj2#8xJtW508rzFrYcJxoek@iW6SR@1%a%Bux&;>25%`j3UI`0DaUr7l79`B1 zqqUARhW1^h6=)6?;@v>xrZNM;t}{yY3P@|L}ey@gG( z9r{}WoYN(9TW&dE2dEJIXkyHA4&pU6ki=rx&l2{DLGbVmg4%3Dlfvn!GB>EVaY_%3+Df{fBiqJV>~Xf8A0aqUjgpa} zoF8YXO&^_x*Ej}nw-$-F@(ddB>%RWoPUj?p8U{t0=n>gAI83y<9Ce@Q#3&(soJ{64 z37@Vij1}5fmzAuIUnXX`EYe;!H-yTVTmhAy;y8VZeB#vD{vw9~P#DiFiKQ|kWwGFZ z=jK;JX*A;Jr{#x?n8XUOLS;C%f|zj-7vXtlf_DtP7bpurBeX%Hjwr z4lI-2TdFpzkjgiv!8Vfv`=SP+s=^i3+N~1ELNWUbH|ytVu>EyPN_3(4TM^QE1swRo zoV7Y_g)a>28+hZG0e7g%@2^s>pzR4^fzR-El}ARTmtu!zjZLuX%>#OoU3}|rFjJg} zQ2TmaygxJ#sbHVyiA5KE+yH0LREWr%^C*yR|@gM$nK2P zo}M}PV0v))uJh&33N>#aU376@ZH79u(Yw`EQ2hM3SJs9f99+cO6_pNW$j$L-CtAfe zYfM)ccwD!P%LiBk!eCD?fHCGvgMQ%Q2oT_gmf?OY=A>&PaZQOq4eT=lwbaf}33LCH zFD|)lu{K7$8n9gX#w4~URjZxWm@wlH%oL#G|I~Fb-v^0L0TWu+`B+ZG!yII)w05DU z>GO?n(TN+B=>HdxVDSlIH76pta$_LhbBg;eZ`M7OGcqt||qi zogS72W1IN%=)5JCyOHWoFP7pOFK0L*OAh=i%&VW&4^LF@R;+K)t^S!96?}^+5QBIs zjJNTCh)?)4k^H^g1&jc>gysM`y^8Rm3qsvkr$9AeWwYpa$b22=yAd1t<*{ zaowSEFP+{y?Ob}8&cwfqoy4Pb9IA~VnM3u!trIK$&&0Op#Ql4j>(EW?UNUv#*iH1$ z^j>+W{afcd`{e&`-A{g}{JnIzYib)!T56IT@YEs{4|`sMpW3c8@UCoIJv`XsAw!XC z34|Il$LpW}CIHFC5e*)}00I5{%OL*WZRGzC0?_}-9{#ue?-ug^ zLE|uv-~6xnSs_2_&CN9{9vyc!Xgtn36_g^wI0C4s0s^;8+p?|mm;Odt3`2ZjwtK;l zfd6j)*Fr#53>C6Y8(N5?$H0ma;BCF3HCjUs7rpb2Kf*x3Xcj#O8mvs#&33i+McX zQpBxD8!O{5Y8D&0*QjD=Yhl9%M0)&_vk}bmN_Ud^BPN;H=U^bn&(csl-pkA+GyY0Z zKV7sU_4n;}uR78ouo8O%g*V;79KY?3d>k6%gpcmQsKk&@Vkw9yna_3asGt`0Hmj59 z%0yiF*`jXhByBI9QsD=+>big5{)BGe&+U2gAARGe3ID)xrid~QN_{I>k}@tzL!Md_ z&=7>TWciblF@EMC3t4-WX{?!m!G6$M$1S?NzF*2KHMP3Go4=#ZHkeIv{eEd;s-yD# z_jU^Ba06TZqvV|Yd;Z_sN%$X=!T+&?#p+OQIHS%!LO`Hx0q_Y0MyGYFNoM{W;&@0@ zLM^!X4KhdtsET5G<0+|q0oqVXMW~-7LW9Bg}=E$YtNh1#1D^6Mz(V9?2g~I1( zoz9Cz=8Hw98zVLwC2AQvp@pBeKyidn6Xu0-1SY1((^Hu*-!HxFUPs)yJ+i`^BC>PC zjwd0mygOVK#d2pRC9LxqGc6;Ui>f{YW9Bvb>33bp^NcnZoH~w9(lM5@JiIlfa-6|k ziy31UoMN%fvQfhi8^T+=yrP{QEyb-jK~>$A4SZT-N56NYEbpvO&yUme&pWKs3^94D zH{oXnUTb3T@H+RgzML*lejx`WAyw*?K7B-I(VJx($2!NXYm%3`=F~TbLv3H<{>D?A zJo-FDYdSA-(Y%;4KUP2SpHKAIcv9-ld(UEJE7=TKp|Gryn;72?0LHqAN^fk6%8PCW z{g_-t)G5uCIf0I`*F0ZNl)Z>))MaLMpXgqWgj-y;R+@A+AzDjsTqw2Mo9ULKA3c70 z!7SOkMtZb+MStH>9MnvNV0G;pwSW9HgP+`tg}e{ij0H6Zt5zJ7iw`hEnvye!XbA@!~#%vIkzowCOvq5I5@$3wtc*w2R$7!$*?}vg4;eDyJ_1=ixJuEp3pUS27W?qq(P^8$_lU!mRChT}ctvZz4p!X^ zOSp|JOAi~f?UkwH#9k{0smZ7-#=lK6X3OFEMl7%)WIcHb=#ZN$L=aD`#DZKOG4p4r zwlQ~XDZ`R-RbF&hZZhu3(67kggsM-F4Y_tI^PH8PMJRcs7NS9ogF+?bZB*fcpJ z=LTM4W=N9yepVvTj&Hu~0?*vR1HgtEvf8w%Q;U0^`2@e8{SwgX5d(cQ|1(!|i$km! zvY03MK}j`sff;*-%mN~ST>xU$6Bu?*Hm%l@0dk;j@%>}jsgDcQ)Hn*UfuThz9(ww_ zasV`rSrp_^bp-0sx>i35FzJwA!d6cZ5#5#nr@GcPEjNnFHIrtUYm1^Z$;{d&{hQV9 z6EfFHaIS}46p^5I-D_EcwwzUUuO}mqRh&T7r9sfw`)G^Q%oHxEs~+XoM?8e*{-&!7 z7$m$lg9t9KP9282eke608^Q2E%H-xm|oJ8=*SyEo} z@&;TQ3K)jgspgKHyGiKVMCz>xmC=H5Fy3!=TP)-R3|&1S-B)!6q50wfLHKM@7Bq6E z44CY%G;GY>tC`~yh!qv~YdXw! zSkquvYNs6k1r7>Eza?Vkkxo6XRS$W7EzL&A`o>=$HXgBp{L(i^$}t`NcnAxzbH8Ht z2!;`bhKIh`f1hIFcI5bHI=ueKdzmB9)!z$s-BT4ItyY|NaA_+o=jO%MU5as9 zc2)aLP>N%u>wlaXTK!p)r?+~)L+0eCGb5{8WIk7K52$nufnQ+m8YF+GQc&{^(zh-$ z#wyWV*Zh@d!b(WwXqvfhQX)^aoHTBkc;4ossV3&Ut*k>AI|m+{#kh4B!`3*<)EJVj zwrxK>99v^k4&Y&`Awm>|exo}NvewV%E+@vOc>5>%H#BK9uaE2$vje zWYM5fKuOTtn96B_2~~!xJPIcXF>E_;yO8AwpJ4)V`Hht#wbO3Ung~@c%%=FX4)q+9 z99#>VC2!4l`~0WHs9FI$Nz+abUq# zz`Of97})Su=^rGp2S$)7N3rQCj#0%2YO<R&p>$<#lgXcUj=4H_{oAYiT3 z44*xDn-$wEzRw7#@6aD)EGO$0{!C5Z^7#yl1o;k0PhN=aVUQu~eTQ^Xy{z8Ow6tk83 z4{5xe%(hx)%nD&|e*6sTWH`4W&U!Jae#U4TnICheJmsw{l|CH?UA{a6?2GNgpZLyzU2UlFu1ZVwlALmh_DOs03J^Cjh1im`E3?9&zvNmg(MuMw&0^Lu$(#CJ*q6DjlKsY-RMJ^8yIY|{SQZ*9~CH|u9L z`R78^r=EbbR*_>5?-)I+$6i}G)%mN(`!X72KaV(MNUP7Nv3MS9S|Pe!%N2AeOt5zG zVJ;jI4HZ$W->Ai_4X+`9c(~m=@ek*m`ZQbv3ryI-AD#AH=`x$~WeW~M{Js57(K7(v ze5`};LG|%C_tmd>bkufMWmAo&B+DT9ZV~h(4jg0>^aeAqL`PEUzJJtI8W1M!bQWpv zvN(d}E1@nlYa!L!!A*RN!(Q3F%J?5PvQ0udu?q-T)j3JKV~NL>KRb~w-lWc685uS6 z=S#aR&B8Sc8>cGJ!!--?kwsJTUUm`Jk?7`H z7PrO~xgBrSW2_tTlCq1LH8*!o?pj?qxy8}(=r_;G18POrFh#;buWR0qU24+XUaVZ0 z?(sXcr@-YqvkCmHr{U2oPogHL{r#3r49TeR<{SJX1pcUqyWPrkYz^X8#QW~?F)R5i z>p^!i<;qM8Nf{-fd6!_&V*e_9qP6q(s<--&1Ttj01j0w>bXY7y1W*%Auu&p|XSOH=)V7Bd4fUKh&T1)@cvqhuD-d=?w}O zjI%i(f|thk0Go*!d7D%0^ztBfE*V=(ZIN84f5HU}T9?ulmEYzT5usi=DeuI*d|;M~ zp_=Cx^!4k#=m_qSPBr5EK~E?3J{dWWPH&oCcNepYVqL?nh4D5ynfWip$m*YlZ8r^Z zuFEUL-nW!3qjRCLIWPT0x)FDL7>Yt7@8dA?R2kF@WE>ysMY+)lTsgNM#3VbXVGL}F z1O(>q>2a+_`6r5Xv$NZAnp=Kgnr3)cL(^=8ypEeOf3q8(HGe@7Tt59;yFl||w|mnO zHDxg2G3z8=(6wjj9kbcEY@Z0iOd7Gq5GiPS5% z*sF1J<#daxDV2Z8H>wxOF<;yKzMeTaSOp_|XkS9Sfn6Mpe9UBi1cSTieGG5$O;ZLIIJ60Y>SN4vC?=yE_CWlo(EEE$e4j?z&^FM%kNmRtlbEL^dPPgvs9sbK5fGw*r@ z+!EU@u$T8!nZh?Fdf_qk$VuHk^yVw`h`_#KoS*N%epIIOfQUy_&V}VWDGp3tplMbf z5Se1sJUC$7N0F1-9jdV2mmGK{-}fu|Nv;12jDy0<-kf^AmkDnu6j~TPWOgy1MT68|D z=4=50jVbUKdKaQgD`eWGr3I&^<6uhkjz$YwItY8%Yp9{z4-{6g{73<_b*@XJ4Nm3-3z z?BW3{aY_ccRjb@W1)i5nLg|7BnWS!B`_Uo9CWaE`Ij327QH?i)9A}4Ug4wmxVVa^b z-4+m%-wwOl7cKH7+=x&nrCrbEC)Q$fpg&V83#uEH;C=GNMz`ps@^RxK%T*8%OPnC` z{WO~J%nxYJ`x|N%?&i7?;{_8t^jM&=50HlaOQj8fS}_`moH$c;vI<|cruPFnpT8yU zS%rPOCUSd5Zdb(zwk`hqwTQn)*&n)uYsP*F_(~xEWq}C= zv30kFmZFwJZ@ELVX3?$dXQh|icO7UrL*_5G=I^xXjImz`ZPp>?g#tf(ej~KaIU0algsG!IS09;>?MvqGg#c{i+}qY|{P8W~O%#>|gFd z<1dr$-oxyRGN17yZo1OwLnzwYs0|;IS_nymNB0IlSzPQ%-r`?T=;_XQ^~&#}b|AB} zkNbN5uB?-sUB-T5QLlg%Uk3)uHB;>VIzGe9_J9 zaeISkQm!v(9d(0ML^b9fR^sfHFlH?7Mvddt37OuR{|O0{uv)(&-6<87W4 zyO>s!=cPgP3O&7xxU5DlIPw_o3O>6o6Qb?JWs3qw#p3sBc3g$?Dx zi(6D+DYgV;GrUis-CL%Qe{nvZnwaVXmbhH(|GFh|Q)k=1uvA$I@1DXI7bKlQ@8D6P zS?(*?><>)G49q0wr;NajpxP4W2G)kHl6^=Z>hrNEI4Mwd_$O6$1dXF;Q#hE(-eeW6 zz03GJF%Wl?HO=_ztv5*zRlcU~{+{k%#N59mgm~eK>P!QZ6E?#Cu^2)+K8m@ySvZ*5 z|HDT}BkF@3!l(0%75G=1u2hETXEj!^1Z$!)!lyGXlWD!_vqGE$Z)#cUVBqlORW>0^ zDjyVTxwKHKG|0}j-`;!R-p>}qQfBl(?($7pP<+Y8QE#M8SCDq~k<+>Q^Zf@cT_WdX3~BSe z+|KK|7OL5Hm5(NFP~j>Ct3*$wi0n0!xl=(C61`q&cec@mFlH(sy%+RH<=s)8aAPN`SfJdkAQjdv82G5iRdv8 zh{9wHUZaniSEpslXl^_ODh}mypC?b*9FzLjb~H@3DFSe;D(A-K3t3eOTB(m~I6C;(-lKAvit(70k`%@+O*Ztdz;}|_TS~B?Tpmi=QKC^m_ z2YpEaT3iiz*;T~ap1yiA)a`dKMwu`^UhIUeltNQ1Yjo=q@bI@&3zH?rVUg=IxLy-ni zyxDu%-Fr{H6owTjZU2O5>nDb=q&Jz_TjeSq%!2m40x&U6w~GQ({quPL73IsJS;f`$ zsuhioqCBj(gJ>2hoo)Gou7(WP*pX)f=Y=!=k!&1K?EYY%jJ~X&DnK{^saPQK<1BJ z_A`_{%ZozcB(3w$z^To^6d|XuT@=X~wtW!+{4ID@N{AB~J6AL5vuY>JwvWCNFKsKh zd}@>q@_WV#QZ&UJ0#?X(pXR!oyXOEG3rqzHbCzGLONDb042i$})fM@XF)uSP(DHUc z^&{|$*xe{cs?Gp8=B%RY3L7#$ve$?TWh>MZdxF1zH1v}1z+$Ov#G7?%D)bBCyDe*% zSeKSpETC2V1){II>@UwJi>4uBN+iAx+82E~gb|Cr&8E^i&)A!uv-g?jzH99wU}8+# z$nh>yvb;TwZmS@7LrvuCu_d0-WxFNI&C7%sWuTL%YU!l|I1{|->=dlOeHOCtUO#zkS3ESO8LHV4hTdQL5EdV zuWD33fFPH}HPrW^s$Qn1Xgp&AT6<-He{{4%eIu3rN=iK|9mURdKXfB&Q?qGok%!cs ze53UP{Z!TO-Y@q2;;k2avA3`lm4OoN4@S*k=UA)7H;qZ`d8`XaYFCv?Ba+uGW@r5v z&&{nf(24WSBOhc7!qF^@0cz;XcUynNaj6w2349;s!K{KVqs5yS{ z7VubS`2OzT^5#1~6Tt^RTvt9-J|D2F>y~>2;jeF>g`hx5l%B3H=aLExQihuYngzlnBTYOTHJQMzl>kwqN5JYs)Ej zblA@ntkUS~xi+}y6|(81helS}Q~&VB37qyV|S3Y=><^1wh%msQM?fz z<58MX(=|PSUKCF#)dbhR%D&xgCD?$aR0qen+wpp6 zst}vX18!Be96TD??j1HsHTUx(a&@F?=gT`Q$oJFFyrh^;zgz!(NlAHGn0cJy@us=w zNhC#l5G;H}+>49Nsh12=ZPO2r*2OBQe5kpb&1?*PIBFitK8}FUfb~S-#hKfF0o#&d z#3aPkB$9scYku&kA6{0xHnBV#&Wei5J>5T-XX-gUXEPo+9b7WL=*XESc(3BshL`aj zXp}QIp*40}oWJt*l043e8_5;H5PI5c)U&IEw5dF(4zjX0y_lk9 zAp@!mK>WUqHo)-jop=DoK>&no>kAD=^qIE7qis&_*4~ z6q^EF$D@R~3_xseCG>Ikb6Gfofb$g|75PPyyZN&tiRxqovo_k zO|HA|sgy#B<32gyU9x^&)H$1jvw@qp+1b(eGAb)O%O!&pyX@^nQd^9BQ4{(F8<}|A zhF&)xusQhtoXOOhic=8#Xtt5&slLia3c*a?dIeczyTbC#>FTfiLST57nc3@Y#v_Eg#VUv zT8cKH#f3=1PNj!Oroz_MAR*pow%Y0*6YCYmUy^7`^r|j23Q~^*TW#cU7CHf0eAD_0 zEWEVddxFgQ7=!nEBQ|ibaScslvhuUk^*%b#QUNrEB{3PG@uTxNwW}Bs4$nS9wc(~O zG7Iq>aMsYkcr!9#A;HNsJrwTDYkK8ikdj{M;N$sN6BqJ<8~z>T20{J8Z2rRUuH7~3 z=tgS`AgxbBOMg87UT4Lwge`*Y=01Dvk>)^{Iu+n6fuVX4%}>?3czOGR$0 zpp*wp>bsFFSV`V;r_m+TZns$ZprIi`OUMhe^cLE$2O+pP3nP!YB$ry}2THx2QJs3< za1;>d-AggCarrQ>&Z!d@;mW+!q6eXhb&`GbzUDSxpl8AJ#Cm#tuc)_xh(2NV=5XMs zrf_ozRYO$NkC=pKFX5OH8v1>0i9Z$ec`~Mf+_jQ68spn(CJwclDhEEkH2Qw;${J$clv__nUjn5jA0wCLEnu1j;v!0vB>Ri6m9`;R{JMS%^)4FC zU0Z44+u$I$w=Bj|iu4DT5h~sS`C*zbmX?@-crY}E+hy>}2~C0Nn(EKk@5^qO4@l@! z6O0lr%tzGC`D^)8xU3FnMZVm0kX1sBWhaQyzVoXFWwr%Ny?=2M{5s#5i7fTu3gEkG zc{(Pr$v=;`Y#&`y*J}#M9ux>0?xu!`$9cUKm#Bdd_&S#LPTS?ZPV6zN6>W6JTS~-LfjL{mB=b(KMk3 z2HjBSlJeyUVqDd=Mt!=hpYsvby2GL&3~zm;0{^nZJq+4vb?5HH4wufvr}IX42sHeK zm@x?HN$8TsTavXs)tLDFJtY9b)y~Tl@7z4^I8oUQq4JckH@~CVQ;FoK(+e0XAM>1O z(ei}h?)JQp>)d=6ng-BZF1Z5hsAKW@mXq+hU?r8I(*%`tnIIOXw7V6ZK(T9RFJJe@ zZS!aC+p)Gf2Ujc=a6hx4!A1Th%YH!Lb^xpI!Eu` zmJO{9rw){B1Ql18d%F%da+Tbu1()?o(zT7StYqK6_w`e+fjXq5L^y(0 z09QA6H4oFj59c2wR~{~>jUoDzDdKz}5#onYPJRwa`SUO)Pd4)?(ENBaFVLJr6Kvz= zhTtXqbx09C1z~~iZt;g^9_2nCZ{};-b4dQJbv8HsWHXPVg^@(*!@xycp#R?a|L!+` zY5w))JWV`Gls(=}shH0#r*;~>_+-P5Qc978+QUd>J%`fyn{*TsiG-dWMiJXNgwBaT zJ=wgYFt+1ACW)XwtNx)Q9tA2LPoB&DkL16P)ERWQlY4%Y`-5aM9mZ{eKPUgI!~J3Z zkMd5A_p&v?V-o-6TUa8BndiX?ooviev(DKw=*bBVOW|=zps9=Yl|-R5@yJe*BPzN}a0mUsLn{4LfjB_oxpv(mwq# zSY*%E{iB)sNvWfzg-B!R!|+x(Q|b@>{-~cFvdDHA{F2sFGA5QGiIWy#3?P2JIpPKg6ncI^)dvqe`_|N=8 '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH="\\\"\\\"" + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + -jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..db3a6ac --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,94 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH= + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/pom.xml b/pom.xml deleted file mode 100644 index 6f1bd84..0000000 --- a/pom.xml +++ /dev/null @@ -1,161 +0,0 @@ - - - 4.0.0 - - org.springframework.boot - spring-boot-starter-parent - 3.4.5 - - - com.cleverthis - auth-service - 0.0.1-SNAPSHOT - auth-service - User management project for CleverThis - - - - - - - - - - - - - - - 21 - com.cleverthis.authservice.AuthServiceApplication - 2024.0.1 - - - - - org.springframework.cloud - spring-cloud-dependencies - ${spring-cloud.version} - pom - import - - - - - - org.springframework.boot - spring-boot-starter-validation - - - org.springframework.boot - spring-boot-starter-webflux - - - org.projectlombok - lombok - true - provided - - - org.springframework.boot - spring-boot-starter-test - test - - - io.projectreactor - reactor-test - test - - - org.springframework.cloud - spring-cloud-starter-consul-config - - - com.squareup.okhttp3 - mockwebserver - 4.12.0 - test - - - - - - - org.apache.maven.plugins - maven-compiler-plugin - - - - org.projectlombok - lombok - - - - - - org.springframework.boot - spring-boot-maven-plugin - - - - org.projectlombok - lombok - - - - - - org.jacoco - jacoco-maven-plugin - 0.8.13 - - - - prepare-agent - - - - report - prepare-package - - report - - - - - - org.apache.maven.plugins - maven-checkstyle-plugin - 3.6.0 - - - com.puppycrawl.tools - checkstyle - 10.23.1 - - - - checkstyle.xml - UTF-8 - true - true - warning - true - false - - - - validate - validate - - check - - - - - - - - diff --git a/settings.gradle.kts b/settings.gradle.kts new file mode 100644 index 0000000..9ebc9cf --- /dev/null +++ b/settings.gradle.kts @@ -0,0 +1 @@ +rootProject.name = "auth-service" diff --git a/src/main/java/com/cleverthis/authservice/config/CleverMicroClientConfig.java b/src/main/java/com/cleverthis/authservice/config/CleverMicroClientConfig.java new file mode 100644 index 0000000..0b62c52 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/config/CleverMicroClientConfig.java @@ -0,0 +1,89 @@ +package com.cleverthis.authservice.config; + +import com.cleverthis.clevermicro.client.amqp.CleverMicroAmqpClient; +import com.cleverthis.clevermicro.client.amqp.CleverMicroAmqpConfig; +import com.rabbitmq.client.ConnectionFactory; +import jakarta.annotation.PostConstruct; +import java.io.IOException; +import java.time.Duration; +import java.util.concurrent.TimeoutException; +import lombok.extern.slf4j.Slf4j; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.context.properties.EnableConfigurationProperties; +import org.springframework.context.ApplicationContext; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Lazy; + +/** + * Provide {@link CleverMicroAmqpClient} as a bean. + */ +@Configuration +@EnableConfigurationProperties(CleverMicroClientConfigProperties.class) +@Slf4j +public class CleverMicroClientConfig { + + private final CleverMicroClientConfigProperties properties; + + public CleverMicroClientConfig( + final CleverMicroClientConfigProperties configProperties + ) { + this.properties = configProperties; + } + + /** + * Post construct. + */ + @PostConstruct + public void init() { + // correct availability + if (this.properties.getInitialAvailability() <= 0) { + this.properties.setInitialAvailability(Runtime.getRuntime().availableProcessors() * 2); + } + log.info("CleverMicroClientConfig initial availability: {}", + this.properties.getInitialAvailability()); + log.info("CleverMicroClient will use swarm info: serviceId={}, taskId={}", + this.properties.getSwarmServiceId(), this.properties.getSwarmTaskId()); + } + + /** + * Provide a RabbitMQ {@link ConnectionFactory}. + */ + @Bean + @Lazy + public ConnectionFactory connectionFactory() { + final var factory = new ConnectionFactory(); + factory.setHost(this.properties.getRabbitmqHost()); + factory.setPort(this.properties.getRabbitmqPort()); + factory.setUsername(this.properties.getRabbitmqUsername()); + factory.setPassword(this.properties.getRabbitmqPassword()); + factory.setVirtualHost(this.properties.getRabbitmqVhost()); + factory.setAutomaticRecoveryEnabled(true); + return factory; + } + + /** + * Create a {@link CleverMicroAmqpClient} bean. + */ + @Bean + @Lazy + @ConditionalOnMissingBean + public CleverMicroAmqpClient cleverMicroAmqpClient( + final ConnectionFactory connectionFactory, + final ApplicationContext applicationContext + ) throws IOException, TimeoutException { + final var client = new CleverMicroAmqpClient( + connectionFactory.newConnection(), CleverMicroAmqpConfig.builder() + .serviceName(applicationContext.getApplicationName()) + .swarmServiceId(this.properties.getSwarmServiceId()) + .swarmTaskId(this.properties.getSwarmTaskId()) + .reportAvailabilityUsageCooldown(Duration.ofMillis(250)) + .reportAvailabilityRecoveryCooldown(Duration.ofSeconds(1)) + .reportAvailabilityRegularCooldown(Duration.ofSeconds(5)) + .build() + ); + client.getHandlerManager().getAvailability() + .release(this.properties.getInitialAvailability()); + return client; + } +} diff --git a/src/main/java/com/cleverthis/authservice/config/CleverMicroClientConfigProperties.java b/src/main/java/com/cleverthis/authservice/config/CleverMicroClientConfigProperties.java new file mode 100644 index 0000000..b3903a3 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/config/CleverMicroClientConfigProperties.java @@ -0,0 +1,65 @@ +package com.cleverthis.authservice.config; + +import lombok.Builder; +import lombok.Getter; +import lombok.Setter; +import org.springframework.boot.context.properties.ConfigurationProperties; + +/** + * Config properties for {@link CleverMicroClientConfig}. + */ +@ConfigurationProperties(prefix = "clevermicro.client") +@Builder +@Getter +@Setter +public class CleverMicroClientConfigProperties { + /** + * Host of the rabbitmq server. + */ + @Builder.Default + private String rabbitmqHost = "localhost"; + + /** + * The port of the rabbitmq server. + */ + @Builder.Default + private int rabbitmqPort = 5672; + + /** + * RabbitMQ username. + */ + @Builder.Default + private String rabbitmqUsername = "guest"; + + /** + * RabbitMQ password. + */ + @Builder.Default + private String rabbitmqPassword = "guest"; + + /** + * Vhost of the rabbitmq server. + */ + @Builder.Default + private String rabbitmqVhost = "/"; + + /** + * Initial availability. + *

+ * Default: CPU cores * 2, since the workload for auth-service is mainly IO-intensive. + *

+ *

Set to -1 to use the default value.

+ * */ + @Builder.Default + private int initialAvailability = Runtime.getRuntime().availableProcessors() * 2; + + /** + * Docker swarm service id. + */ + private String swarmServiceId; + + /** + * Docker swarm task id. + */ + private String swarmTaskId; +} diff --git a/src/main/java/com/cleverthis/authservice/config/KeycloakClientConfig.java b/src/main/java/com/cleverthis/authservice/config/KeycloakClientConfig.java index fcd73dd..cb328da 100644 --- a/src/main/java/com/cleverthis/authservice/config/KeycloakClientConfig.java +++ b/src/main/java/com/cleverthis/authservice/config/KeycloakClientConfig.java @@ -1,15 +1,37 @@ package com.cleverthis.authservice.config; +import com.cleverthis.authservice.service.impl.KeycloakAdminReactiveClient; +import org.keycloak.admin.client.Keycloak; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.context.properties.EnableConfigurationProperties; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Lazy; /** * Config for keycloak clients: * {@link com.cleverthis.authservice.service.impl.KeycloakIdentityManagerService} - * and {@link com.cleverthis.authservice.service.impl.KeycloakAdminClient}. + * and {@link KeycloakAdminReactiveClient}. */ @Configuration @EnableConfigurationProperties(KeycloakClientConfigProperties.class) public class KeycloakClientConfig { - // empty for now + + /** + * Create a Keycloak admin client. + * */ + @Bean + @Lazy + @ConditionalOnMissingBean + public Keycloak keycloakAdminClient( + final KeycloakClientConfigProperties configProperties + ) { + return Keycloak.getInstance( + configProperties.getKeycloakAdminHost(), + configProperties.getRealm(), + configProperties.getAdminAccountUsername(), + configProperties.getAdminAccountPassword(), + "admin-cli" + ); + } } diff --git a/src/main/java/com/cleverthis/authservice/config/PermissionMappingConfigProperties.java b/src/main/java/com/cleverthis/authservice/config/PermissionMappingConfigProperties.java index 4f2598b..025afa1 100644 --- a/src/main/java/com/cleverthis/authservice/config/PermissionMappingConfigProperties.java +++ b/src/main/java/com/cleverthis/authservice/config/PermissionMappingConfigProperties.java @@ -40,6 +40,7 @@ public class PermissionMappingConfigProperties { @NotBlank(message = "Keycloak Client ID cannot be blank in permission mapping rule") private String keycloakClientId; + @Builder.Default private List passthroughs = new ArrayList<>(); } diff --git a/src/main/java/com/cleverthis/authservice/controller/AuthController.java b/src/main/java/com/cleverthis/authservice/controller/AuthController.java index 90a1804..2046d0e 100644 --- a/src/main/java/com/cleverthis/authservice/controller/AuthController.java +++ b/src/main/java/com/cleverthis/authservice/controller/AuthController.java @@ -187,17 +187,19 @@ public class AuthController { log.info("Received forwardAuth request: Method='{}', Uri='{}'", originalMethod, originalUriString); // first detect the client id and service relative path - final var targetServiceClientIdOpt = getTargetServiceClientId(originalUriString); - if (targetServiceClientIdOpt.isEmpty()) { + final var optionalRule = getPermissionCheckRuleByUri(originalUriString); + if (optionalRule.isEmpty()) { log.warn("ForwardAuth: No Keycloak client mapping found for URI: {}", originalUriString); return Mono.just(ResponseEntity.status(HttpStatus.FORBIDDEN).build()); } - final var targetServiceClientId = targetServiceClientIdOpt.get(); + final var rule = optionalRule.get(); + + final var targetServiceClientId = rule.getKeycloakClientId(); final var serviceRelativePath = - extractServiceRelativePath(originalUriString, targetServiceClientId); + extractServiceRelativePath(originalUriString, rule); // then check pass-through rule - if (shouldPassThrough(targetServiceClientId, serviceRelativePath)) { + if (shouldPassThrough(rule, serviceRelativePath)) { return Mono.just(ResponseEntity.status(HttpStatus.NO_CONTENT).build()); } if (authorizationHeader == null) { @@ -276,16 +278,15 @@ public class AuthController { } private boolean shouldPassThrough( - final String serviceClientId, final String serviceRelativePath + final PermissionMappingConfigProperties.Rule rule, final String serviceRelativePath ) { - final var rules = this.permissionMapLookupService - .getPassThoughRulesByClientId(serviceClientId); + final var passthroughs = rule.getPassthroughs(); try { - return rules.stream() + return passthroughs.stream() .anyMatch(it -> executePassThroughRule(it, serviceRelativePath)); } catch (final Throwable throwable) { log.error("Error executing pass-through rule for client {} : {}", - serviceClientId, throwable.getMessage(), throwable); + rule.getKeycloakClientId(), throwable.getMessage(), throwable); return false; } } @@ -300,13 +301,15 @@ public class AuthController { }; } - private Optional getTargetServiceClientId(String fullUriString) { + private Optional getPermissionCheckRuleByUri( + String fullUriString + ) { try { URI uri = new URI(fullUriString); String path = uri.getPath(); // Get path part, e.g., /cleverswarm/api/jobs/123 log.debug("Mapping URI path: {}", path); - final var pathMatch = this.permissionMapLookupService.matchClientIdByPath(path); + final var pathMatch = this.permissionMapLookupService.matchRuleByPath(path); if (pathMatch.isPresent()) { return pathMatch; } @@ -315,7 +318,9 @@ public class AuthController { log.debug( "No rule matched for path '{}', using default Keycloak Client ID:{}", path, defaultValue); - return Optional.of(defaultValue); + return Optional.of(PermissionMappingConfigProperties.Rule.builder() + .keycloakClientId(defaultValue) + .build()); } } catch (URISyntaxException e) { log.error("Invalid URI syntax for X-Forwarded-Uri: {}", fullUriString, e); @@ -324,17 +329,11 @@ public class AuthController { return Optional.empty(); } - private String extractServiceRelativePath(String fullUriString, String mappedKeycloakClientId) { - // Find the rule that gave us this mappedKeycloakClientId to get its pathPrefix - Optional matchedRule = - this.permissionMapLookupService.matchRuleByClientIdAndPath( - mappedKeycloakClientId, fullUriString - ); - - String pathPrefixToRemove = ""; - if (matchedRule.isPresent()) { - pathPrefixToRemove = matchedRule.get().getPathPrefix(); - } else if (mappedKeycloakClientId + private String extractServiceRelativePath( + String fullUriString, PermissionMappingConfigProperties.Rule rule + ) { + String pathPrefixToRemove = rule.getPathPrefix(); + if (rule.getKeycloakClientId() .equals(this.permissionMapLookupService.getDefaultKeycloakClientId())) { // If it's a default mapping, there's no prefix to remove, use the whole path. // Or, you might decide that default mappings always apply to root paths. This diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/AbstractEndpoint.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/AbstractEndpoint.java new file mode 100644 index 0000000..2348792 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/AbstractEndpoint.java @@ -0,0 +1,148 @@ +package com.cleverthis.authservice.controller.rabbitmq; + +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointBadRequestException; +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointException; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointRequest; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointResponses; +import com.cleverthis.clevermicro.client.amqp.CleverMicroAmqpClient; +import com.cleverthis.clevermicro.client.amqp.handler.HandlerContext; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.rabbitmq.client.BuiltinExchangeType; +import jakarta.annotation.PreDestroy; +import java.io.IOException; +import java.io.InputStream; +import java.util.Map; +import lombok.extern.slf4j.Slf4j; + +/** + * Abstract class for endpoint of auth-service over RabbitMQ. + */ +@Slf4j +public abstract class AbstractEndpoint implements AutoCloseable { + public static final String ENDPOINT_EXCHANGE = "cleverthis.clevermicro.auth.endpoints"; + public static final BuiltinExchangeType ENDPOINT_EXCHANGE_TYPE = BuiltinExchangeType.DIRECT; + + private final String handlerTag; + private final CleverMicroAmqpClient client; + protected final ObjectMapper objectMapper; + + private final String queueName; + + /** + * Initialize this abstract class. + */ + public AbstractEndpoint( + final CleverMicroAmqpClient client, + final ObjectMapper objectMapper, + final String routingKey + ) throws IOException { + this.client = client; + this.objectMapper = objectMapper; + + this.queueName = ENDPOINT_EXCHANGE + "." + routingKey; + client.getHandlerManager().declareExchange(ENDPOINT_EXCHANGE, ENDPOINT_EXCHANGE_TYPE); + client.getHandlerManager().declareQueue( + this.queueName, true, false, false, Map.of() + ); + client.getHandlerManager().bindQueue( + this.queueName, ENDPOINT_EXCHANGE, routingKey, Map.of() + ); + this.handlerTag = client.getHandlerManager().registerHandler( + this.queueName, "", 1, + ctx -> new Thread(() -> handleRabbitMessage(ctx)).start(), + tag -> log.info("Endpoint canceled for queue {}: handlerTag={}", + this.queueName, tag) + ); + } + + // VisibleForTesting + void handleRabbitMessage(final HandlerContext ctx) { + try { + final var req = parseRequest(ctx); + if (req == null) { + throw new EndpointBadRequestException( + "Malformed request, cannot be parsed"); + } + handleRequest(ctx, req); + } catch (final EndpointException ex) { + final var resp = EndpointResponses.error(ex); + reply(ctx, resp); + } catch (final Throwable t) { + log.error( + "Error when handling request for queue {}, only refill availability", + this.queueName, t + ); + final var resp = EndpointResponses.internalServerError( + "Error when handling the request", t); + reply(ctx, resp); + } + } + + + // VisibleForTesting + EndpointRequest parseRequest(final HandlerContext ctx) { + InputStream reqStream = null; + if (ctx.getMessageBodySingleStream().isPresent()) { + reqStream = ctx.getMessageBodySingleStream().get(); + } else if (ctx.getMessageBodyMultiStream().isPresent()) { + final var multibody = ctx.getMessageBodyMultiStream().get(); + reqStream = multibody.get("request"); + } + // check null + if (reqStream == null) { + return null; + } + // parsing, need to convert to final + try (final var stream = reqStream) { + return this.objectMapper.readValue( + stream, + EndpointRequest.class + ); + } catch (final IOException ex) { + log.error("Error when parsing single stream request for queue: {}", this.queueName, ex); + return null; + } + } + + /** + * Handle a request. + */ + protected abstract void handleRequest( + final HandlerContext ctx, + final EndpointRequest request + ) throws EndpointException; + + /** + * Try to reply. Refill counter if error. + */ + protected void reply(final HandlerContext ctx, final Object response) { + final byte[] bytes; + try { + bytes = this.objectMapper.writerWithDefaultPrettyPrinter() + .writeValueAsBytes(response); + } catch (final JsonProcessingException ex) { + log.error("Error when serializing response, ignore reply and refill counter. Queue {}", + this.queueName, ex); + ctx.refillAvailability(); + return; + } + try { + ctx.finish(bytes); + } catch (final IOException ex) { + // the counter should be refilled before exception + log.error("Error when replying request for queue {}", this.queueName, ex); + } + } + + /** + * Close the endpoint and release resources. + * Should be called in {@link jakarta.annotation.PreDestroy} annotated methods. + */ + @Override + @PreDestroy + public void close() { + log.info("Closing Endpoint for queue: {}, consumerTag={}", this.queueName, this.handlerTag); + this.client.getHandlerManager().cancelHandler(this.handlerTag); + } +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointBadRequestException.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointBadRequestException.java new file mode 100644 index 0000000..33052a3 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointBadRequestException.java @@ -0,0 +1,21 @@ +package com.cleverthis.authservice.controller.rabbitmq.exception; + +/** + * Exception to signal the request is malformed or invalid. + */ +public class EndpointBadRequestException extends EndpointException { + private static final String ENDPOINT_EXCEPTION = "cleverthis.clevermicro.bad_request"; + + public EndpointBadRequestException( + final String message, + final Throwable cause + ) { + super(ENDPOINT_EXCEPTION, message, cause); + } + + public EndpointBadRequestException( + final String message + ) { + super(ENDPOINT_EXCEPTION, message); + } +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointException.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointException.java new file mode 100644 index 0000000..bd34665 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointException.java @@ -0,0 +1,28 @@ +package com.cleverthis.authservice.controller.rabbitmq.exception; + +import lombok.Getter; + +/** + * Exception for endpoints. + */ +public class EndpointException extends Exception { + @Getter + private final String endpointException; + + public EndpointException( + final String endpointException, + final String message, + final Throwable cause + ) { + super(message, cause); + this.endpointException = endpointException; + } + + public EndpointException( + final String endpointException, + final String message + ) { + super(message); + this.endpointException = endpointException; + } +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointInternalServerErrorException.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointInternalServerErrorException.java new file mode 100644 index 0000000..95cba49 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/exception/EndpointInternalServerErrorException.java @@ -0,0 +1,15 @@ +package com.cleverthis.authservice.controller.rabbitmq.exception; + +/** + * Exception to signal the handler is failed abnormally. + */ +public class EndpointInternalServerErrorException extends EndpointException { + private static final String ENDPOINT_EXCEPTION = "cleverthis.clevermicro.server_internal_error"; + + public EndpointInternalServerErrorException( + final String message, + final Throwable cause + ) { + super(ENDPOINT_EXCEPTION, message, cause); + } +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointErrorResponse.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointErrorResponse.java new file mode 100644 index 0000000..b0e99f0 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointErrorResponse.java @@ -0,0 +1,39 @@ +package com.cleverthis.authservice.controller.rabbitmq.model; + +import com.fasterxml.jackson.annotation.JsonProperty; +import lombok.Builder; +import lombok.EqualsAndHashCode; +import lombok.Getter; +import lombok.Setter; +import lombok.ToString; + +/** + * The model for replied response. + */ +@EqualsAndHashCode(callSuper = true) +@Getter +@Setter +@ToString +@Builder +public final class EndpointErrorResponse extends EndpointResponse { + @JsonProperty("exception") + private final String exception; + @JsonProperty("message") + private final String message; + @JsonProperty("additional_info") + private final Object additionalInfo; + + /** + * Create an error response. + */ + public EndpointErrorResponse( + final String exception, + final String message, + final Object additionalInfo + ) { + super("ERROR"); + this.exception = exception; + this.message = message; + this.additionalInfo = additionalInfo; + } +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointOkResponse.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointOkResponse.java new file mode 100644 index 0000000..8aadf33 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointOkResponse.java @@ -0,0 +1,27 @@ +package com.cleverthis.authservice.controller.rabbitmq.model; + +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.List; +import lombok.Builder; +import lombok.EqualsAndHashCode; +import lombok.Getter; +import lombok.Setter; +import lombok.ToString; + +/** + * The model for replied response. + */ +@EqualsAndHashCode(callSuper = true) +@Getter +@Setter +@ToString +@Builder +public class EndpointOkResponse extends EndpointResponse { + @JsonProperty("result") + private final List result; + + public EndpointOkResponse(final List result) { + super("OK"); + this.result = result; + } +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointRequest.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointRequest.java new file mode 100644 index 0000000..39bfe92 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointRequest.java @@ -0,0 +1,19 @@ +package com.cleverthis.authservice.controller.rabbitmq.model; + +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.databind.JsonNode; +import java.util.LinkedHashMap; +import lombok.Builder; +import lombok.Data; + +/** + * The model for incoming requests. + */ +@Data +@Builder +public class EndpointRequest { + @JsonProperty("method") + private final String method; + @JsonProperty("args") + private final LinkedHashMap args; +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointResponse.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointResponse.java new file mode 100644 index 0000000..a8027c5 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointResponse.java @@ -0,0 +1,19 @@ +package com.cleverthis.authservice.controller.rabbitmq.model; + +import com.fasterxml.jackson.annotation.JsonProperty; +import lombok.Getter; +import lombok.Setter; + +/** + * The model for replied response. + */ +@Getter +@Setter +public abstract class EndpointResponse { + @JsonProperty("type") + protected final String type; + + protected EndpointResponse(final String type) { + this.type = type; + } +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointResponses.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointResponses.java new file mode 100644 index 0000000..c0e2ab6 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/model/EndpointResponses.java @@ -0,0 +1,84 @@ +package com.cleverthis.authservice.controller.rabbitmq.model; + +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointException; +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointInternalServerErrorException; +import java.io.PrintWriter; +import java.io.StringWriter; +import java.util.Arrays; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; + +/** + * The model for replied response. + */ +public class EndpointResponses { + private EndpointResponses() { + } + + /** + * Create an error response from endpoint exception. + */ + public static EndpointErrorResponse error( + final EndpointException ex + ) { + final var sw = new StringWriter(); + final var pw = new PrintWriter(sw); + ex.printStackTrace(pw); + pw.flush(); + pw.close(); + return EndpointErrorResponse.builder() + .exception(ex.getEndpointException()) + .message(ex.getMessage()) + .additionalInfo(Map.of( + "stacktrace", sw.toString() + )) + .build(); + } + + /** + * Create an error response from general exception. + */ + public static EndpointErrorResponse internalServerError( + final String message, + final Throwable throwable + ) { + return EndpointResponses.error( + new EndpointInternalServerErrorException( + message, throwable + ) + ); + } + + /** + * Create an ok response from a result. + */ + public static EndpointOkResponse ok(final T result) { + return EndpointOkResponse.builder() + .result(List.of(result)) + .build(); + } + + /** + * Create an ok response from a list of results. + */ + public static EndpointOkResponse ok(final Iterable result) { + final var list = new LinkedList(); + result.forEach(list::add); + return EndpointOkResponse.builder() + .result(list) + .build(); + } + + /** + * Create an ok response from an array of results. + */ + public static EndpointOkResponse ok(final T[] result) { + // here we make a copy so the changes to the input array + // will not change the result field. + final var list = new LinkedList<>(Arrays.asList(result)); + return EndpointOkResponse.builder() + .result(list) + .build(); + } +} diff --git a/src/main/java/com/cleverthis/authservice/controller/rabbitmq/v1/user/UserEndpointV1.java b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/v1/user/UserEndpointV1.java new file mode 100644 index 0000000..b8b8a56 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/controller/rabbitmq/v1/user/UserEndpointV1.java @@ -0,0 +1,70 @@ +package com.cleverthis.authservice.controller.rabbitmq.v1.user; + +import com.cleverthis.authservice.controller.rabbitmq.AbstractEndpoint; +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointBadRequestException; +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointException; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointRequest; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointResponses; +import com.cleverthis.authservice.service.impl.KeycloakAdminReactiveClient; +import com.cleverthis.clevermicro.client.amqp.CleverMicroAmqpClient; +import com.cleverthis.clevermicro.client.amqp.handler.HandlerContext; +import com.fasterxml.jackson.databind.ObjectMapper; +import java.io.IOException; +import java.util.NoSuchElementException; +import org.keycloak.representations.idm.UserRepresentation; +import org.springframework.stereotype.Component; + +/** + * Serve endpoints on `user-service-v1`. + */ +@Component +public class UserEndpointV1 extends AbstractEndpoint { + private static final String ROUTING_KEY = "user-service-v1"; + + private final KeycloakAdminReactiveClient keycloakAdminClient; + + public UserEndpointV1( + final CleverMicroAmqpClient client, + final ObjectMapper objectMapper, + final KeycloakAdminReactiveClient keycloakAdminClient + ) throws IOException { + super(client, objectMapper, ROUTING_KEY); + this.keycloakAdminClient = keycloakAdminClient; + } + + @Override + protected void handleRequest( + final HandlerContext ctx, final EndpointRequest request + ) throws EndpointException { + //noinspection SwitchStatementWithTooFewBranches + final Object result = switch (request.getMethod()) { + case "queryUserById" -> queryUserById(request); + default -> throw new EndpointBadRequestException("Method not found"); + }; + reply(ctx, EndpointResponses.ok(result)); + } + + private UserRepresentation queryUserById( + final EndpointRequest request + ) throws EndpointException { + final var argId = request.getArgs().get("id"); + if (argId == null) { + throw new EndpointBadRequestException("Missing parameter 'id'"); + } + if (!argId.isTextual()) { + throw new EndpointBadRequestException( + "Invalid type for parameter 'id', required non-null string"); + } + // this should be non-null + final var id = argId.textValue(); + try { + return this.keycloakAdminClient.getUserDetails(id).block(); + } catch (final NoSuchElementException ex) { + throw new EndpointException( + "cleverthis.clevermicro.auth.user_not_found", + "User id " + id + "not found", + ex + ); + } + } +} diff --git a/src/main/java/com/cleverthis/authservice/dto/keycloakadmin/KeycloakOrganizationRepresentation.java b/src/main/java/com/cleverthis/authservice/dto/keycloakadmin/KeycloakOrganizationRepresentation.java index 3d2310b..29feb3c 100644 --- a/src/main/java/com/cleverthis/authservice/dto/keycloakadmin/KeycloakOrganizationRepresentation.java +++ b/src/main/java/com/cleverthis/authservice/dto/keycloakadmin/KeycloakOrganizationRepresentation.java @@ -8,6 +8,7 @@ import java.util.Set; import lombok.AllArgsConstructor; import lombok.Data; import lombok.NoArgsConstructor; +import org.keycloak.representations.idm.OrganizationDomainRepresentation; /** * Data Transfer Object for representing a Keycloak Organization when interacting with the Keycloak diff --git a/src/main/java/com/cleverthis/authservice/dto/keycloakadmin/OrganizationDomainRepresentation.java b/src/main/java/com/cleverthis/authservice/dto/keycloakadmin/OrganizationDomainRepresentation.java deleted file mode 100644 index 05b8c74..0000000 --- a/src/main/java/com/cleverthis/authservice/dto/keycloakadmin/OrganizationDomainRepresentation.java +++ /dev/null @@ -1,18 +0,0 @@ -package com.cleverthis.authservice.dto.keycloakadmin; - -import com.fasterxml.jackson.annotation.JsonIgnoreProperties; -import lombok.AllArgsConstructor; -import lombok.Data; -import lombok.NoArgsConstructor; - -/** - * Representation of an organization's internet domain within Keycloak. - */ -@Data -@NoArgsConstructor -@AllArgsConstructor -@JsonIgnoreProperties(ignoreUnknown = true) -public class OrganizationDomainRepresentation { - private String name; - private Boolean verified; -} diff --git a/src/main/java/com/cleverthis/authservice/dto/organization/OrganizationResponse.java b/src/main/java/com/cleverthis/authservice/dto/organization/OrganizationResponse.java index 717f3c2..6ccec9f 100644 --- a/src/main/java/com/cleverthis/authservice/dto/organization/OrganizationResponse.java +++ b/src/main/java/com/cleverthis/authservice/dto/organization/OrganizationResponse.java @@ -1,19 +1,19 @@ package com.cleverthis.authservice.dto.organization; -import com.cleverthis.authservice.dto.keycloakadmin.OrganizationDomainRepresentation; import java.util.List; import java.util.Map; import java.util.Set; import lombok.AllArgsConstructor; import lombok.Data; import lombok.NoArgsConstructor; +import org.keycloak.representations.idm.OrganizationDomainRepresentation; /** * DTO for representing an Organization in API responses. */ @Data @NoArgsConstructor -@AllArgsConstructor +@AllArgsConstructor public class OrganizationResponse { private String id; diff --git a/src/main/java/com/cleverthis/authservice/service/IdentityManagerService.java b/src/main/java/com/cleverthis/authservice/service/IdentityManagerService.java index 691dcca..4f97e5f 100644 --- a/src/main/java/com/cleverthis/authservice/service/IdentityManagerService.java +++ b/src/main/java/com/cleverthis/authservice/service/IdentityManagerService.java @@ -12,6 +12,8 @@ import com.cleverthis.authservice.dto.organization.OrganizationMemberResponse; import com.cleverthis.authservice.dto.organization.OrganizationResponse; import com.cleverthis.authservice.dto.organization.UpdateOrganizationRequest; import java.util.List; +import org.keycloak.representations.idm.GroupRepresentation; +import org.keycloak.representations.idm.OrganizationRepresentation; import reactor.core.publisher.Mono; /** diff --git a/src/main/java/com/cleverthis/authservice/service/PermissionMapLookupService.java b/src/main/java/com/cleverthis/authservice/service/PermissionMapLookupService.java index 6ad18ef..0037b60 100644 --- a/src/main/java/com/cleverthis/authservice/service/PermissionMapLookupService.java +++ b/src/main/java/com/cleverthis/authservice/service/PermissionMapLookupService.java @@ -1,7 +1,6 @@ package com.cleverthis.authservice.service; import com.cleverthis.authservice.config.PermissionMappingConfigProperties; -import java.util.List; import java.util.Optional; /** @@ -17,18 +16,5 @@ public interface PermissionMapLookupService { /** * Given the path, find the client id of the first rule matching the path prefix. */ - Optional matchClientIdByPath(String path); - - /** - * Given the client id and path, find the rule that both matches the client id exactly, - * and match the path prefix. - */ - Optional matchRuleByClientIdAndPath( - String clientId, String path); - - /** - * Return the list of pass-through rules by client id. - */ - List getPassThoughRulesByClientId( - String clientId); + Optional matchRuleByPath(String path); } diff --git a/src/main/java/com/cleverthis/authservice/service/impl/FallbackPermissionMapLookupService.java b/src/main/java/com/cleverthis/authservice/service/impl/FallbackPermissionMapLookupService.java index 4e6ffbc..ae2ef21 100644 --- a/src/main/java/com/cleverthis/authservice/service/impl/FallbackPermissionMapLookupService.java +++ b/src/main/java/com/cleverthis/authservice/service/impl/FallbackPermissionMapLookupService.java @@ -5,7 +5,6 @@ import com.cleverthis.authservice.service.PermissionMapLookupService; import com.ecwid.consul.v1.ConsulClient; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; -import java.util.List; import java.util.Optional; import java.util.concurrent.atomic.AtomicReference; import lombok.extern.slf4j.Slf4j; @@ -102,38 +101,15 @@ public final class FallbackPermissionMapLookupService implements PermissionMapLo } @Override - public Optional matchClientIdByPath(final String path) { + public Optional matchRuleByPath(final String path) { final var config = getConfig(); for (final var rule : config.getRules()) { if (path.startsWith(rule.getPathPrefix())) { log.debug("Path '{}' matched prefix '{}', using Keycloak Client ID: {}", path, rule.getPathPrefix(), rule.getKeycloakClientId()); - return Optional.of(rule.getKeycloakClientId()); + return Optional.of(rule); } } return Optional.empty(); } - - @Override - public Optional matchRuleByClientIdAndPath( - final String clientId, final String path - ) { - final var config = getConfig(); - return config.getRules().stream() - .filter(rule -> - rule.getKeycloakClientId().equals(clientId) - && path.startsWith(rule.getPathPrefix())) - .findFirst(); - } - - @Override - public List getPassThoughRulesByClientId( - final String clientId - ) { - final var config = getConfig(); - return config.getRules().stream() - .filter(rule -> rule.getKeycloakClientId().equals(clientId)) - .flatMap(rule -> rule.getPassthroughs().stream()) - .toList(); - } } diff --git a/src/main/java/com/cleverthis/authservice/service/impl/KeycloakAdminClient.java b/src/main/java/com/cleverthis/authservice/service/impl/KeycloakAdminClient.java deleted file mode 100644 index 6384d3f..0000000 --- a/src/main/java/com/cleverthis/authservice/service/impl/KeycloakAdminClient.java +++ /dev/null @@ -1,531 +0,0 @@ -package com.cleverthis.authservice.service.impl; - -import com.cleverthis.authservice.config.KeycloakClientConfigProperties; -import com.cleverthis.authservice.dto.KeycloakAdminTokenResponse; -import com.cleverthis.authservice.dto.KeycloakClientRepresentation; -import com.cleverthis.authservice.dto.KeycloakRoleRepresentation; -import com.cleverthis.authservice.dto.keycloakadmin.KeycloakGroupRepresentation; -import com.cleverthis.authservice.dto.keycloakadmin.KeycloakInvitationRequest; -import com.cleverthis.authservice.dto.keycloakadmin.KeycloakOrganizationRepresentation; -import com.cleverthis.authservice.dto.keycloakadmin.KeycloakUserRepresentation; -import com.cleverthis.authservice.exception.ServiceUnavailableException; -import java.net.URI; -import java.time.Duration; -import java.util.List; -import java.util.concurrent.atomic.AtomicReference; -import lombok.extern.slf4j.Slf4j; -import org.springframework.beans.factory.annotation.Qualifier; -import org.springframework.http.HttpHeaders; -import org.springframework.http.MediaType; -import org.springframework.stereotype.Service; -import org.springframework.util.LinkedMultiValueMap; -import org.springframework.util.MultiValueMap; -import org.springframework.web.reactive.function.BodyInserters; -import org.springframework.web.reactive.function.client.WebClient; -import org.springframework.web.util.UriComponentsBuilder; -import reactor.core.publisher.Mono; -import reactor.util.retry.Retry; - -/** - * Service to interact with Keycloak Admin API. Handles obtaining an admin token for this - * auth-service and making admin calls. - */ -@Service -@Slf4j -public class KeycloakAdminClient { - - private final WebClient webClient; - private final AtomicReference adminAccessToken = new AtomicReference<>(); - private final AtomicReference tokenExpiryTime = new AtomicReference<>(0L); - - private final String keycloakAdminHost; - private final String realm; - private final String adminAccountUsername; - private final String adminAccountPassword; - - /** - * Create a keycloak admin client. - */ - public KeycloakAdminClient( - @Qualifier("keycloakWebClient") final WebClient webClient, - final KeycloakClientConfigProperties configProperties - ) { - this.webClient = webClient; - this.keycloakAdminHost = configProperties.getKeycloakAdminHost(); - this.realm = configProperties.getRealm(); - this.adminAccountUsername = configProperties.getAdminAccountUsername(); - this.adminAccountPassword = configProperties.getAdminAccountPassword(); - } - - private String getAdminTokenEndpoint() { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/realms/{realm}/protocol/openid-connect/token") - .buildAndExpand(this.realm) - .encode().toUriString(); - } - - private String getClientsEndpoint() { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/clients") - .buildAndExpand(this.realm) - .encode().toUriString(); - } - - private String getUserClientRolesEndpoint(String userId, String clientInternalId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/users/{userId}" - + "/role-mappings/clients/{clientId}/composite") - .buildAndExpand(this.realm, this.realm, userId, clientInternalId) - .encode().toUriString(); - } - - private String getOrganizationByIdEndpoint(String orgId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/organizations/{orgId}") - .buildAndExpand(this.realm, orgId) - .encode().toUriString(); - } - - private String getOrganizationsEndpoint() { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/organizations") - .buildAndExpand(this.realm) - .encode().toUriString(); - } - - private String getOrganizationMembersEndpoint(String orgId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/organizations/{orgId}/members") - .buildAndExpand(this.realm, orgId) - .encode().toUriString(); - } - - private String getOrganizationMemberByIdEndpoint(String orgId, String userId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/organizations/{orgId}/members/{userId}") - .buildAndExpand(this.realm, orgId, userId) - .encode().toUriString(); - } - - private String getOrganizationInvitationEndpoint(String orgId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/organizations/{orgId}/members/invite-user") - .buildAndExpand(this.realm, orgId) - .encode().toUriString(); - } - - private String getGroupsEndpoint() { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/groups") - .buildAndExpand(this.realm).toUriString(); - } - - private String getGroupByIdEndpoint(String groupId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/groups/{groupId}") - .buildAndExpand(this.realm, groupId).encode().toUriString(); - } - - private String getGroupChildrenEndpoint(String parentGroupId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/groups/{parentGroupId}/children") - .buildAndExpand(this.realm, parentGroupId) - .encode().toUriString(); - } - - private String getGroupMembersEndpoint(String groupId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/groups/{groupId}/members") - .buildAndExpand(this.realm, groupId).encode() - .toUriString(); - } - - private String getGroupMemberByIdEndpoint(String groupId, String userId) { - return UriComponentsBuilder.fromUriString(this.keycloakAdminHost) - .path("/admin/realms/{realm}/users/{userId}/groups/{groupId}") - .buildAndExpand(this.realm, userId, groupId).encode().toUriString(); - } - - /** - * Retrieves a valid admin access token for this service, refreshing if necessary. Uses client - * credentials grant. - * - * @return Mono emitting the admin access token. - */ - Mono getAdminAccessToken() { - if (System.currentTimeMillis() < this.tokenExpiryTime.get() - && this.adminAccessToken.get() != null) { - log.debug("Using cached admin access token."); - return Mono.just(this.adminAccessToken.get()); - } - - log.info("Fetching new admin access token for auth-service using account: {}", - this.adminAccountUsername); - MultiValueMap formData = new LinkedMultiValueMap<>(); - formData.add("client_id", "admin-cli"); - formData.add("username", this.adminAccountUsername); - formData.add("password", this.adminAccountPassword); - formData.add("grant_type", "password"); - - return this.webClient.post().uri(getAdminTokenEndpoint()) - .contentType(MediaType.APPLICATION_FORM_URLENCODED) - .body(BodyInserters.fromFormData(formData)).retrieve() - .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), - response -> response.bodyToMono(String.class).flatMap(errorBody -> { - log.error("Failed to get admin token. Status: {}, Body: {}", - response.statusCode(), errorBody); - return Mono.error(new ServiceUnavailableException( - "Could not obtain admin token from Keycloak. Status: " - + response.statusCode())); - })) - .bodyToMono(KeycloakAdminTokenResponse.class).map(tokenResponse -> { - this.adminAccessToken.set(tokenResponse.getAccessToken()); - // Set expiry time slightly before actual expiry to be safe (e.g., 30 seconds - // buffer) - this.tokenExpiryTime.set(System.currentTimeMillis() - + (tokenResponse.getExpiresIn() - 30) * 1000L); - log.info("Successfully obtained new admin access token."); - return tokenResponse.getAccessToken(); - }) - .retryWhen(Retry.backoff(3, Duration.ofSeconds(2)) - .maxBackoff(Duration.ofSeconds(10)) - .filter(throwable -> throwable instanceof ServiceUnavailableException) - .doBeforeRetry( - retrySignal -> log.warn("Retrying admin token fetch attempt #{}", - retrySignal.totalRetries() + 1))); - } - - /** - * Fetches the internal UUID of a Keycloak client given its public clientId. - * - * @param publicClientId The human-readable client_id (e.g., "cleverswarm-client"). - * @return Mono emitting the internal UUID string. - */ - public Mono getClientInternalId(String publicClientId) { - log.debug("Fetching internal ID for client: {}", publicClientId); - - // We expect only one client with this ID - URI targetUri = UriComponentsBuilder.fromUriString(getClientsEndpoint()) - .queryParam("clientId", publicClientId).queryParam("max", 1).build().toUri(); - - log.debug("Constructed URI for getClientInternalId: {}", targetUri.toString()); - - return getAdminAccessToken().flatMap(token -> this.webClient.get().uri(targetUri) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token).retrieve() - .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), - response -> response.bodyToMono(String.class).flatMap(errorBody -> { - log.error("Failed to get client '{}'. Status: {}, Body: {}", - publicClientId, response.statusCode(), errorBody); - return Mono.error(new ServiceUnavailableException( - "Could not fetch client details from Keycloak. Client: " - + publicClientId)); - })) - .bodyToFlux(KeycloakClientRepresentation.class)// Expecting a list, even if one item - .next() // Take the first element if present - .map(KeycloakClientRepresentation::getId) - .switchIfEmpty(Mono.error(new ServiceUnavailableException( - "Client not found in Keycloak: " + publicClientId))) - .doOnSuccess(id -> log.debug("Found internal ID '{}' for client '{}'", id, - publicClientId))); - } - - /** - * Fetches the effective client roles for a given user and a specific client (internal ID). - * - * @param userId the Keycloak user's 'sub' (subject ID). - * @param clientInternalId The internal UUID of the Keycloak client. - * @return Mono emitting a List of KeycloakRoleRepresentation. - */ - public Mono> getUserEffectiveClientRoles( - String userId, String clientInternalId - ) { - log.debug("Fetching effective client roles for user '{}' on client internal ID '{}'", - userId, clientInternalId); - return getAdminAccessToken().flatMap(token -> this.webClient.get() - .uri(getUserClientRolesEndpoint(userId, clientInternalId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token).retrieve() - .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), - response -> response.bodyToMono(String.class).flatMap(errorBody -> { - log.error( - "Failed to get user client roles. User:" - + " {}, ClientInternalId: {}, Status: {}, Body: {}", - userId, clientInternalId, response.statusCode(), errorBody); - return Mono.error(new ServiceUnavailableException( - "Could not fetch user client roles from Keycloak.")); - })) - .bodyToFlux(KeycloakRoleRepresentation.class).collectList() - .doOnSuccess(roles -> log.debug( - "Found {} effective client roles for user '{}' on client internal ID '{}'", - roles.size(), userId, clientInternalId))); - } - - - /** - * Creates a new organization in Keycloak. - * - * @param orgToCreate A representation of the organization to be created. - * @return A Mono emitting the representation of the newly created organization, including its - * ID. - */ - public Mono createOrganization( - KeycloakOrganizationRepresentation orgToCreate) { - return getAdminAccessToken() - .flatMap(token -> this.webClient.post().uri(getOrganizationsEndpoint()) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .contentType(MediaType.APPLICATION_JSON).bodyValue(orgToCreate).retrieve() - // Add error handling here for 409 Conflict, etc. - .bodyToMono(KeycloakOrganizationRepresentation.class)); - } - - /** - * Retrieves all organizations within the realm. - * - * @return A Mono emitting a List of all organization representations. - */ - public Mono> getOrganizations() { - return getAdminAccessToken() - .flatMap(token -> this.webClient.get().uri(getOrganizationsEndpoint()) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token).retrieve() - .bodyToFlux(KeycloakOrganizationRepresentation.class).collectList()); - } - - /** - * Retrieves a single organization by its unique ID. - * - * @param orgId The ID of the organization to retrieve. - * @return A Mono emitting the representation of the found organization. - */ - public Mono getOrganizationById(String orgId) { - return getAdminAccessToken() - .flatMap(token -> this.webClient.get().uri(getOrganizationByIdEndpoint(orgId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token).retrieve() - .bodyToMono(KeycloakOrganizationRepresentation.class)); - } - - /** - * Updates an existing organization's details in Keycloak. - * - * @param orgId The ID of the organization to update. - * @param orgToUpdate A representation containing the updated fields for the organization. - * @return A Mono that completes when the update is successful. - */ - public Mono updateOrganization(String orgId, - KeycloakOrganizationRepresentation orgToUpdate) { - return getAdminAccessToken() - .flatMap(token -> this.webClient.put().uri(getOrganizationByIdEndpoint(orgId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .contentType(MediaType.APPLICATION_JSON).bodyValue(orgToUpdate).retrieve() - .bodyToMono(Void.class)); - } - - /** - * Deletes an organization from Keycloak. - * - * @param orgId The ID of the organization to delete. - * @return A Mono that completes when the deletion is successful. - */ - public Mono deleteOrganization(String orgId) { - return getAdminAccessToken() - .flatMap(token -> this.webClient.delete().uri(getOrganizationByIdEndpoint(orgId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token).retrieve() - .bodyToMono(Void.class)); - } - - /** - * Sends an invitation for a user to join an organization. Keycloak handles the email delivery. - * - * @param orgId The ID of the organization to invite the user to. - * @param invitation An object containing the invitee's details (email, name). - * @return A Mono that completes when the invitation has been successfully sent. - */ - public Mono inviteUserToOrganization(String orgId, KeycloakInvitationRequest invitation) { - // Create form data from the invitation DTO - MultiValueMap formData = new LinkedMultiValueMap<>(); - formData.add("email", invitation.getEmail()); - if (invitation.getFirstName() != null) { - formData.add("firstName", invitation.getFirstName()); - } - if (invitation.getLastName() != null) { - formData.add("lastName", invitation.getLastName()); - } - - return getAdminAccessToken().flatMap(token -> this.webClient.post() - .uri(getOrganizationInvitationEndpoint(orgId)) // Points to /invitations - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - // UPDATED: Use FORM_URLENCODED content type - .contentType(MediaType.APPLICATION_FORM_URLENCODED) - // UPDATED: Use fromFormData to send the body - .body(BodyInserters.fromFormData(formData)).retrieve().bodyToMono(Void.class)); - } - - /** - * Retrieves a list of all members of a specific organization. - * - * @param orgId The ID of the organization. - * @return A Mono emitting a List of user representations for the members. - */ - public Mono> getOrganizationMembers(String orgId) { - return getAdminAccessToken() - .flatMap(token -> this.webClient.get().uri(getOrganizationMembersEndpoint(orgId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token).retrieve() - .bodyToFlux(KeycloakUserRepresentation.class).collectList()); - } - - /** - * Adds an existing Keycloak user to an organization. - * - * @param orgId The ID of the organization. - * @param userId The ID of the user to add as a member. - * @return A Mono that completes when the user is successfully added. - */ - public Mono addMemberToOrganization(String orgId, String userId) { - // Keycloak's API to add an existing user to an Organization is a POST - // to the /members collection endpoint, with the user's ID in the body. - return getAdminAccessToken().flatMap(token -> this.webClient.post() - // Use the endpoint for the members collection, NOT the specific member - .uri(getOrganizationMembersEndpoint(orgId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .contentType(MediaType.APPLICATION_JSON) - // The body should be a representation containing the user's ID - .bodyValue(userId).retrieve().bodyToMono(Void.class)); - } - - /** - * Removes a member from an organization. - * - * @param orgId The ID of the organization. - * @param userId The ID of the user to remove. - * @return A Mono that completes when the user is successfully removed. - */ - public Mono removeMemberFromOrganization(String orgId, String userId) { - return getAdminAccessToken().flatMap(token -> this.webClient.delete() - .uri(getOrganizationMemberByIdEndpoint(orgId, userId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token).retrieve() - .bodyToMono(Void.class)); - } - - /** - * Creates a new sub-group as a child of a parent group. - * - * @param parentGroupId The ID of the parent group. - * @param group A representation of the sub-group to create. - * @return A Mono that completes when the group is created. - * Keycloak returns location header, not body. - */ - public Mono createSubGroup(String parentGroupId, KeycloakGroupRepresentation group) { - return getAdminAccessToken().flatMap(token -> this.webClient.post() - .uri(getGroupChildrenEndpoint(parentGroupId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .contentType(MediaType.APPLICATION_JSON) - .bodyValue(group) - .retrieve() - .bodyToMono(Void.class)); - } - - /** - * Retrieves a group by its unique ID. - * - * @param groupId The ID of the group to retrieve. - * @return A Mono emitting the group representation. - */ - public Mono getGroupById(String groupId) { - return getAdminAccessToken().flatMap(token -> this.webClient.get() - .uri(getGroupByIdEndpoint(groupId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .retrieve() - .bodyToMono(KeycloakGroupRepresentation.class)); - } - - /** - * Lists the direct children (sub-groups) of a parent group. - * - * @param parentGroupId The ID of the parent group. - * @return A Mono emitting a list of sub-group representations. - */ - public Mono> listSubGroups(String parentGroupId) { - return getAdminAccessToken().flatMap(token -> this.webClient.get() - .uri(getGroupChildrenEndpoint(parentGroupId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .retrieve() - .bodyToFlux(KeycloakGroupRepresentation.class) - .collectList()); - } - - /** - * Updates an existing group. - * - * @param groupId The ID of the group to update. - * @param group A representation containing the updated fields. - * @return A Mono that completes on successful update. - */ - public Mono updateGroup(String groupId, KeycloakGroupRepresentation group) { - return getAdminAccessToken().flatMap(token -> this.webClient.put() - .uri(getGroupByIdEndpoint(groupId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .contentType(MediaType.APPLICATION_JSON) - .bodyValue(group) - .retrieve() - .bodyToMono(Void.class)); - } - - /** - * Deletes a group by its ID. - * - * @param groupId The ID of the group to delete. - * @return A Mono that completes on successful deletion. - */ - public Mono deleteGroup(String groupId) { - return getAdminAccessToken().flatMap(token -> this.webClient.delete() - .uri(getGroupByIdEndpoint(groupId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .retrieve() - .bodyToMono(Void.class)); - } - - /** - * Adds a user to a group. - * - * @param groupId The ID of the group. - * @param userId The ID of the user. - * @return A Mono that completes when the user is added to the group. - */ - public Mono addMemberToGroup(String groupId, String userId) { - // Keycloak API for adding a user to a group is a PUT on the user's groups link - return getAdminAccessToken().flatMap(token -> this.webClient.put() - .uri(getGroupMemberByIdEndpoint(groupId, userId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .retrieve() - .bodyToMono(Void.class)); - } - - /** - * Retrieves all members of a specific group. - * - * @param groupId The ID of the group. - * @return A Mono emitting a list of user representations. - */ - public Mono> getGroupMembers(String groupId) { - return getAdminAccessToken().flatMap(token -> this.webClient.get() - .uri(getGroupMembersEndpoint(groupId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .retrieve() - .bodyToFlux(KeycloakUserRepresentation.class) - .collectList()); - } - - /** - * Removes a user from a group. - * - * @param groupId The ID of the group. - * @param userId The ID of the user. - * @return A Mono that completes when the user is removed from the group. - */ - public Mono removeMemberFromGroup(String groupId, String userId) { - return getAdminAccessToken().flatMap(token -> this.webClient.delete() - .uri(getGroupMemberByIdEndpoint(groupId, userId)) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + token) - .retrieve() - .bodyToMono(Void.class)); - } - -} \ No newline at end of file diff --git a/src/main/java/com/cleverthis/authservice/service/impl/KeycloakAdminReactiveClient.java b/src/main/java/com/cleverthis/authservice/service/impl/KeycloakAdminReactiveClient.java new file mode 100644 index 0000000..c2e9bc8 --- /dev/null +++ b/src/main/java/com/cleverthis/authservice/service/impl/KeycloakAdminReactiveClient.java @@ -0,0 +1,473 @@ +package com.cleverthis.authservice.service.impl; + +import com.cleverthis.authservice.config.KeycloakClientConfigProperties; +import com.cleverthis.authservice.dto.RegistrationRequest; +import com.cleverthis.authservice.dto.keycloakadmin.KeycloakInvitationRequest; +import com.cleverthis.authservice.exception.RegistrationException; +import com.cleverthis.authservice.exception.ServiceUnavailableException; +import com.cleverthis.authservice.exception.UserAlreadyExistsException; +import jakarta.ws.rs.ClientErrorException; +import jakarta.ws.rs.NotFoundException; +import jakarta.ws.rs.core.Response; +import java.util.Collections; +import java.util.List; +import java.util.NoSuchElementException; +import java.util.function.Consumer; +import lombok.extern.slf4j.Slf4j; +import org.keycloak.admin.client.Keycloak; +import org.keycloak.representations.idm.CredentialRepresentation; +import org.keycloak.representations.idm.GroupRepresentation; +import org.keycloak.representations.idm.MemberRepresentation; +import org.keycloak.representations.idm.OrganizationRepresentation; +import org.keycloak.representations.idm.UserRepresentation; +import org.springframework.stereotype.Service; +import reactor.core.publisher.Mono; +import reactor.core.publisher.MonoSink; + +/** + * Service to interact with Keycloak Admin API. + * Turn keycloak sdk into reactive. + */ +@Service +@Slf4j +public class KeycloakAdminReactiveClient { + + private final Keycloak keycloak; + + private final String realm; + + /** + * Create a keycloak admin client. + */ + public KeycloakAdminReactiveClient( + final Keycloak keycloak, + final KeycloakClientConfigProperties properties + ) { + this.keycloak = keycloak; + this.realm = properties.getRealm(); + } + + + /** + * Creates a new organization in Keycloak. + * + * @param orgToCreate A representation of the organization to be created. + * @return A Mono emitting the representation of the newly created organization, including its + * ID. + */ + public Mono createOrganization( + OrganizationRepresentation orgToCreate + ) { + return Mono.create(sink -> { + final var resp = this.keycloak.realm(this.realm) + .organizations().create(orgToCreate); + try (resp) { + if (resp.getStatusInfo().getFamily() == Response.Status.Family.SUCCESSFUL) { + final var body = resp.readEntity(OrganizationRepresentation.class); + sink.success(body); + } else { + final var body = resp.readEntity(String.class); + sink.error(new ServiceUnavailableException( + "Failed to create organization " + orgToCreate + + ", body=" + body)); + } + } catch (final Throwable t) { + sink.error(t); + } + }); + } + + /** + * Retrieves all organizations within the realm. + * + * @return A Mono emitting a List of all organization representations. + */ + public Mono> getOrganizations() { + return Mono.just(this.keycloak.realm(this.realm) + .organizations().list(null, Integer.MAX_VALUE)); + } + + /** + * Retrieves a single organization by its unique ID. + * + * @param orgId The ID of the organization to retrieve. + * @return A Mono emitting the representation of the found organization. + */ + public Mono getOrganizationById(String orgId) { + return Mono.create(sink -> { + try { + sink.success(this.keycloak.realm(this.realm) + .organizations().get(orgId).toRepresentation()); + } catch (final NotFoundException ex) { + sink.error(new NoSuchElementException( + "Organization with id " + orgId + " not exists", ex)); + } + }); + } + + /** + * Updates an existing organization's details in Keycloak. + * + * @param orgId The ID of the organization to update. + * @param orgToUpdate A representation containing the updated fields for the organization. + * @return A Mono that completes when the update is successful. + */ + public Mono updateOrganization( + String orgId, OrganizationRepresentation orgToUpdate + ) { + return Mono.create(sink -> { + final var resp = this.keycloak.realm(this.realm) + .organizations().get(orgId).update(orgToUpdate); + try (resp) { + if (resp.getStatusInfo().getFamily() == Response.Status.Family.CLIENT_ERROR + || resp.getStatusInfo().getFamily() == Response.Status.Family.SERVER_ERROR) { + final var body = resp.readEntity(String.class); + sink.error(new ServiceUnavailableException( + "Failed to update organization " + orgId + + " with data " + orgToUpdate + + ", body=" + body)); + } else { + sink.success(); + } + } + }); + } + + /** + * Deletes an organization from Keycloak. + * + * @param orgId The ID of the organization to delete. + * @return A Mono that completes when the deletion is successful. + */ + public Mono deleteOrganization(String orgId) { + return Mono.create(sink -> { + final var resp = this.keycloak.realm(this.realm) + .organizations().get(orgId).delete(); + try (resp) { + if (resp.getStatusInfo().getFamily() == Response.Status.Family.CLIENT_ERROR + || resp.getStatusInfo().getFamily() == Response.Status.Family.SERVER_ERROR) { + final var body = resp.readEntity(String.class); + sink.error(new ServiceUnavailableException( + "Failed to delete organization " + orgId + + ", body=" + body)); + } else { + sink.success(); + } + } + }); + } + + /** + * Sends an invitation for a user to join an organization. Keycloak handles the email delivery. + * + * @param orgId The ID of the organization to invite the user to. + * @param invitation An object containing the invitee's details (email, name). + * @return A Mono that completes when the invitation has been successfully sent. + */ + public Mono inviteUserToOrganization(String orgId, KeycloakInvitationRequest invitation) { + // Create form data from the invitation DTO + return Mono.create(sink -> { + final var resp = this.keycloak.realm(this.realm) + .organizations().get(orgId) + .members().inviteUser( + invitation.getEmail(), invitation.getFirstName(), invitation.getLastName() + ); + try (resp) { + if (resp.getStatusInfo().getFamily() == Response.Status.Family.CLIENT_ERROR + || resp.getStatusInfo().getFamily() == Response.Status.Family.SERVER_ERROR) { + final var body = resp.readEntity(String.class); + sink.error(new ServiceUnavailableException( + "Failed to process invitation request " + invitation + + " for organization " + orgId + + ", body=" + body)); + } else { + sink.success(); + } + } + }); + } + + /** + * Retrieves a list of all members of a specific organization. + * + * @param orgId The ID of the organization. + * @return A Mono emitting a List of user representations for the members. + */ + public Mono> getOrganizationMembers(String orgId) { + return Mono.create(sink -> { + try { + sink.success(this.keycloak.realm(this.realm) + .organizations().get(orgId) + .members().list(null, Integer.MAX_VALUE)); + } catch (final NotFoundException ex) { + sink.error(new NoSuchElementException( + "Organization with id " + orgId + " not exists", ex)); + } + }); + } + + /** + * Adds an existing Keycloak user to an organization. + * + * @param orgId The ID of the organization. + * @param userId The ID of the user to add as a member. + * @return A Mono that completes when the user is successfully added. + */ + public Mono addMemberToOrganization(String orgId, String userId) { + // Keycloak's API to add an existing user to an Organization is a POST + // to the /members collection endpoint, with the user's ID in the body. + return Mono.create(sink -> { + final var resp = this.keycloak.realm(this.realm) + .organizations().get(orgId) + .members().addMember(userId); + try (resp) { + if (resp.getStatusInfo().getFamily() == Response.Status.Family.CLIENT_ERROR + || resp.getStatusInfo().getFamily() == Response.Status.Family.SERVER_ERROR) { + final var body = resp.readEntity(String.class); + sink.error(new ServiceUnavailableException( + "Failed to add member " + userId + " to organization " + orgId + + ", body=" + body)); + } else { + sink.success(); + } + } + }); + } + + /** + * Removes a member from an organization. + * + * @param orgId The ID of the organization. + * @param userId The ID of the user to remove. + * @return A Mono that completes when the user is successfully removed. + */ + public Mono removeMemberFromOrganization(String orgId, String userId) { + return Mono.create(sink -> { + final var resp = this.keycloak.realm(this.realm) + .organizations().get(orgId) + .members().removeMember(userId); + try (resp) { + if (resp.getStatusInfo().getFamily() == Response.Status.Family.CLIENT_ERROR + || resp.getStatusInfo().getFamily() == Response.Status.Family.SERVER_ERROR) { + final var body = resp.readEntity(String.class); + sink.error(new ServiceUnavailableException( + "Failed to remove member " + userId + " from organization " + orgId + + ", body=" + body)); + } else { + sink.success(); + } + } + }); + } + + /** + * Creates a new sub-group as a child of a parent group. + * + * @param parentGroupId The ID of the parent group. + * @param group A representation of the sub-group to create. + * @return A Mono that completes when the group is created. + * Keycloak returns location header, not body. + */ + public Mono createSubGroup(String parentGroupId, GroupRepresentation group) { + return Mono.create(sink -> { + final var resp = this.keycloak.realm(this.realm) + .groups().group(parentGroupId) + .subGroup(group); + try (resp) { + if (resp.getStatusInfo().getFamily() == Response.Status.Family.CLIENT_ERROR + || resp.getStatusInfo().getFamily() == Response.Status.Family.SERVER_ERROR) { + final var body = resp.readEntity(String.class); + sink.error(new ServiceUnavailableException( + "Failed to create sub-group '" + group.getName() + + "', body=" + body)); + } else { + sink.success(); + } + } + }); + } + + /** + * Retrieves a group by its unique ID. + * + * @param groupId The ID of the group to retrieve. + * @return A Mono emitting the group representation. + */ + public Mono getGroupById(String groupId) { + return Mono.create((Consumer>) sink -> + sink.success(this.keycloak.realm(this.realm) + .groups().group(groupId).toRepresentation())) + .onErrorMap(NotFoundException.class, + ex -> new NoSuchElementException( + "Group with id " + groupId + " not exists", ex)); + } + + /** + * Lists the direct children (sub-groups) of a parent group. + * + * @param parentGroupId The ID of the parent group. + * @return A Mono emitting a list of sub-group representations. + */ + public Mono> listSubGroups(String parentGroupId) { + return Mono.create((Consumer>>) sink -> + sink.success(this.keycloak.realm(this.realm) + .groups().group(parentGroupId) + .getSubGroups(null, Integer.MAX_VALUE, false))) + .onErrorMap(NotFoundException.class, + ex -> new NoSuchElementException( + "Group with id " + parentGroupId + " not exists", ex)); + } + + /** + * Updates an existing group. + * + * @param groupId The ID of the group to update. + * @param group A representation containing the updated fields. + * @return A Mono that completes on successful update. + */ + public Mono updateGroup(String groupId, GroupRepresentation group) { + return Mono + .create((Consumer>) sink -> { + this.keycloak.realm(this.realm).groups().group(groupId).update(group); + sink.success(); + }) + .onErrorMap(NotFoundException.class, ex -> new NoSuchElementException( + "Group with id " + groupId + " not exists" + )); + } + + /** + * Deletes a group by its ID. + * + * @param groupId The ID of the group to delete. + * @return A Mono that completes on successful deletion. + */ + public Mono deleteGroup(String groupId) { + return Mono + .create((Consumer>) sink -> { + this.keycloak.realm(this.realm).groups().group(groupId).remove(); + sink.success(); + }) + .onErrorMap(NotFoundException.class, ex -> new NoSuchElementException( + "Group with id " + groupId + " not exists" + )); + } + + /** + * Adds a user to a group. + * + * @param groupId The ID of the group. + * @param userId The ID of the user. + * @return A Mono that completes when the user is added to the group. + */ + public Mono addMemberToGroup(String groupId, String userId) { + // Keycloak API for adding a user to a group is a PUT on the user's groups link + return Mono + .create((Consumer>) sink -> { + this.keycloak.realm(this.realm).users().get(userId).joinGroup(groupId); + sink.success(); + }) + .onErrorMap(ClientErrorException.class, ex -> new IllegalArgumentException( + "Failed to add user with id " + userId + " to group with id " + groupId + )); + } + + /** + * Retrieves all members of a specific group. + * + * @param groupId The ID of the group. + * @return A Mono emitting a list of user representations. + */ + public Mono> getGroupMembers(String groupId) { + return Mono.create((Consumer>>) sink -> sink.success( + this.keycloak.realm(this.realm).groups().group(groupId).members())) + .onErrorMap(NotFoundException.class, ex -> new NoSuchElementException( + "Group with id " + groupId + " not exist", ex + )); + } + + /** + * Removes a user from a group. + * + * @param groupId The ID of the group. + * @param userId The ID of the user. + * @return A Mono that completes when the user is removed from the group. + */ + public Mono removeMemberFromGroup(String groupId, String userId) { + return Mono + .create((Consumer>) sink -> { + this.keycloak.realm(this.realm).users().get(userId).leaveGroup(groupId); + sink.success(); + }) + .onErrorMap(ClientErrorException.class, ex -> new IllegalArgumentException( + "Failed to remove user with id " + userId + " from group with id " + groupId + )); + } + + /** + * Register user. + */ + public Mono registerUser(RegistrationRequest registrationRequest) { + log.info("Registering new user with email: {}", registrationRequest.getEmail()); + final var user = new UserRepresentation(); + user.setUsername(registrationRequest.getEmail()); + user.setEmail(registrationRequest.getEmail()); + user.setFirstName(registrationRequest.getFirstName()); + user.setLastName(registrationRequest.getLastName()); + user.setEnabled(true); + user.setEmailVerified(false); + + final var credentials = new CredentialRepresentation(); + credentials.setType(CredentialRepresentation.PASSWORD); + credentials.setValue(registrationRequest.getPassword()); + credentials.setTemporary(false); + user.setCredentials(Collections.singletonList(credentials)); + + // Tell Keycloak to initiate email verification, + // we may implement our email verification on future. + user.setRequiredActions(Collections.singletonList("VERIFY_EMAIL")); + + return Mono.create(sink -> { + final var resp = this.keycloak.realm(this.realm).users().create(user); + try (resp) { + if (resp.getStatusInfo().getFamily() == Response.Status.Family.SUCCESSFUL) { + log.info( + "User {} created successfully in Keycloak", + registrationRequest.getEmail()); + sink.success(); + } else if (resp.getStatus() == 409) { // CONFLICT + log.warn( + "User registration failed for {}:" + + " User already exists (Conflict).", + registrationRequest.getEmail()); + sink.error(new UserAlreadyExistsException("User with email " + + registrationRequest.getEmail() + + " already exists.")); + } else { + final var errorBody = resp.readEntity(String.class); + log.error("Keycloak user creation failed for {}" + + " with status {}: {}", + registrationRequest.getEmail(), resp.getStatus(), + errorBody); + sink.error(new RegistrationException( + "User registration failed due to Keycloak error." + + " Status: " + resp.getStatus())); + } + } + }); + + } + + /** + * Get user details with id. + * + * @throws NoSuchElementException in mono if keycloak returns 404. + */ + public Mono getUserDetails(String userId) { + return Mono.create((Consumer>) sink -> sink.success( + this.keycloak.realm(this.realm).users().get(userId).toRepresentation())) + .onErrorMap(NotFoundException.class, + ex -> new NoSuchElementException("User with id " + userId + " not exists", ex)); + } + +} \ No newline at end of file diff --git a/src/main/java/com/cleverthis/authservice/service/impl/KeycloakIdentityManagerService.java b/src/main/java/com/cleverthis/authservice/service/impl/KeycloakIdentityManagerService.java index 5bf8caa..96838b1 100644 --- a/src/main/java/com/cleverthis/authservice/service/impl/KeycloakIdentityManagerService.java +++ b/src/main/java/com/cleverthis/authservice/service/impl/KeycloakIdentityManagerService.java @@ -7,11 +7,7 @@ import com.cleverthis.authservice.dto.VerificationResponse; import com.cleverthis.authservice.dto.group.CreateGroupRequest; import com.cleverthis.authservice.dto.group.GroupResponse; import com.cleverthis.authservice.dto.group.UpdateGroupRequest; -import com.cleverthis.authservice.dto.keycloakadmin.KeycloakGroupRepresentation; import com.cleverthis.authservice.dto.keycloakadmin.KeycloakInvitationRequest; -import com.cleverthis.authservice.dto.keycloakadmin.KeycloakOrganizationRepresentation; -import com.cleverthis.authservice.dto.keycloakadmin.KeycloakUserRepresentation; -import com.cleverthis.authservice.dto.keycloakadmin.OrganizationDomainRepresentation; import com.cleverthis.authservice.dto.organization.CreateOrganizationRequest; import com.cleverthis.authservice.dto.organization.InviteUserRequest; import com.cleverthis.authservice.dto.organization.OrganizationMemberResponse; @@ -20,20 +16,19 @@ import com.cleverthis.authservice.dto.organization.UpdateOrganizationRequest; import com.cleverthis.authservice.exception.AuthenticationException; import com.cleverthis.authservice.exception.LogoutException; import com.cleverthis.authservice.exception.PermissionCheckException; -import com.cleverthis.authservice.exception.RegistrationException; import com.cleverthis.authservice.exception.ServiceUnavailableException; import com.cleverthis.authservice.exception.TokenVerificationException; -import com.cleverthis.authservice.exception.UserAlreadyExistsException; import com.cleverthis.authservice.service.IdentityManagerService; -import java.util.Collections; -import java.util.HashMap; import java.util.List; -import java.util.Map; import java.util.Set; import java.util.stream.Collectors; import lombok.extern.slf4j.Slf4j; +import org.keycloak.representations.idm.GroupRepresentation; +import org.keycloak.representations.idm.OrganizationDomainRepresentation; +import org.keycloak.representations.idm.OrganizationRepresentation; +import org.keycloak.representations.idm.UserRepresentation; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.http.HttpHeaders; +import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatusCode; import org.springframework.http.MediaType; @@ -42,7 +37,6 @@ import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; import org.springframework.web.reactive.function.BodyInserters; import org.springframework.web.reactive.function.client.WebClient; -import org.springframework.web.reactive.function.client.WebClientResponseException; import org.springframework.web.util.UriComponentsBuilder; import reactor.core.publisher.Mono; @@ -55,7 +49,7 @@ import reactor.core.publisher.Mono; public class KeycloakIdentityManagerService implements IdentityManagerService { private final WebClient webClient; - private final KeycloakAdminClient keycloakAdminClient; // Inject KeycloakAdminClient + private final KeycloakAdminReactiveClient keycloakAdminClient; // Inject KeycloakAdminClient private final String keycloakServerUrl; private final String realm; @@ -83,20 +77,13 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { .encode().toUriString(); } - private String getUsersAdminEndpoint() { - return UriComponentsBuilder.fromUriString(this.keycloakServerUrl) - .path("/admin/realms/{realm}/users") - .buildAndExpand(this.realm) - .encode().toUriString(); - } - /** * Create a keycloak OIDC client. */ @Autowired public KeycloakIdentityManagerService( - final WebClient keycloakWebClient, - final KeycloakAdminClient keycloakAdminClient, + @Qualifier("keycloakWebClient") final WebClient keycloakWebClient, + final KeycloakAdminReactiveClient keycloakAdminClient, final KeycloakClientConfigProperties configProperties ) { this.webClient = keycloakWebClient; @@ -119,23 +106,23 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { formData.add("scope", "openid email profile"); // Request standard scopes return this.webClient.post().uri(getTokenEndpoint()) - .contentType(MediaType.APPLICATION_FORM_URLENCODED) - .body(BodyInserters.fromFormData(formData)).retrieve() - // Handle specific HTTP status codes - .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), - clientResponse -> clientResponse.bodyToMono(String.class) - .flatMap(errorBody -> { - log.error("Keycloak login failed with status {}: {}", - clientResponse.statusCode(), errorBody); - return Mono.error(new AuthenticationException( - "Login failed: Invalid credentials or Keycloak error." - + " Status: " - + clientResponse.statusCode())); - })) - .bodyToMono(TokenResponse.class) - .doOnSuccess(response -> log.debug("Login successful for user: {}", username)) - .doOnError(error -> log.error("Error during login for user {}: {}", username, - error.getMessage())); + .contentType(MediaType.APPLICATION_FORM_URLENCODED) + .body(BodyInserters.fromFormData(formData)).retrieve() + // Handle specific HTTP status codes + .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), + clientResponse -> clientResponse.bodyToMono(String.class) + .flatMap(errorBody -> { + log.error("Keycloak login failed with status {}: {}", + clientResponse.statusCode(), errorBody); + return Mono.error(new AuthenticationException( + "Login failed: Invalid credentials or Keycloak error." + + " Status: " + + clientResponse.statusCode())); + })) + .bodyToMono(TokenResponse.class) + .doOnSuccess(response -> log.debug("Login successful for user: {}", username)) + .doOnError(error -> log.error("Error during login for user {}: {}", username, + error.getMessage())); } @Override @@ -147,29 +134,29 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { formData.add("token", accessToken); return this.webClient.post().uri(getIntrospectionEndpoint()) - .contentType(MediaType.APPLICATION_FORM_URLENCODED) - .body(BodyInserters.fromFormData(formData)).retrieve() - .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), - clientResponse -> clientResponse.bodyToMono(String.class) - .flatMap(errorBody -> { - log.error( - "Keycloak token introspection failed with" - + " status {}: {}", - clientResponse.statusCode(), errorBody); - return Mono.error(new TokenVerificationException( - "Token introspection failed. Status: " - + clientResponse.statusCode())); - })) - .bodyToMono(VerificationResponse.class).flatMap(response -> { - if (!response.isActive()) { - log.warn("Token verification failed: Token is inactive."); - return Mono.error( - new TokenVerificationException("Token is invalid or expired.")); - } - log.debug("Token verification successful. User: {}", response.getUsername()); - return Mono.just(response); - }).doOnError(error -> log.error("Error during token verification: {}", - error.getMessage())); + .contentType(MediaType.APPLICATION_FORM_URLENCODED) + .body(BodyInserters.fromFormData(formData)).retrieve() + .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), + clientResponse -> clientResponse.bodyToMono(String.class) + .flatMap(errorBody -> { + log.error( + "Keycloak token introspection failed with" + + " status {}: {}", + clientResponse.statusCode(), errorBody); + return Mono.error(new TokenVerificationException( + "Token introspection failed. Status: " + + clientResponse.statusCode())); + })) + .bodyToMono(VerificationResponse.class).flatMap(response -> { + if (!response.isActive()) { + log.warn("Token verification failed: Token is inactive."); + return Mono.error( + new TokenVerificationException("Token is invalid or expired.")); + } + log.debug("Token verification successful. User: {}", response.getUsername()); + return Mono.just(response); + }).doOnError(error -> log.error("Error during token verification: {}", + error.getMessage())); } @Override @@ -182,104 +169,33 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { formData.add("token_type_hint", "refresh_token"); // Hint for Keycloak return this.webClient.post().uri(getRevocationEndpoint()) - .contentType(MediaType.APPLICATION_FORM_URLENCODED) - .body(BodyInserters.fromFormData(formData)).retrieve() - .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), - clientResponse -> clientResponse.bodyToMono(String.class) - .flatMap(errorBody -> { - // Keycloak might return 400 if token is already invalid, which - // is okay for logout - if (clientResponse.statusCode() == HttpStatus.BAD_REQUEST) { - log.warn( - "Token revocation returned 400 (possibly already" - + " invalid/revoked): {}", - errorBody); - return Mono.empty(); // Treat as success in logout scenario - } - log.error("Keycloak token revocation failed with status {}: {}", - clientResponse.statusCode(), errorBody); - return Mono.error(new LogoutException("Logout failed. Status: " - + clientResponse.statusCode())); - })) - .bodyToMono(Void.class) // Expecting empty body on success (2xx) - .doOnSuccess(v -> log.debug("Logout successful (token revoked).")) - .doOnError(error -> log.error("Error during logout: {}", error.getMessage())); + .contentType(MediaType.APPLICATION_FORM_URLENCODED) + .body(BodyInserters.fromFormData(formData)).retrieve() + .onStatus(status -> status.is4xxClientError() || status.is5xxServerError(), + clientResponse -> clientResponse.bodyToMono(String.class) + .flatMap(errorBody -> { + // Keycloak might return 400 if token is already invalid, which + // is okay for logout + if (clientResponse.statusCode() == HttpStatus.BAD_REQUEST) { + log.warn( + "Token revocation returned 400 (possibly already" + + " invalid/revoked): {}", + errorBody); + return Mono.empty(); // Treat as success in logout scenario + } + log.error("Keycloak token revocation failed with status {}: {}", + clientResponse.statusCode(), errorBody); + return Mono.error(new LogoutException("Logout failed. Status: " + + clientResponse.statusCode())); + })) + .bodyToMono(Void.class) // Expecting empty body on success (2xx) + .doOnSuccess(v -> log.debug("Logout successful (token revoked).")) + .doOnError(error -> log.error("Error during logout: {}", error.getMessage())); } @Override public Mono registerUser(RegistrationRequest registrationRequest) { - log.info("Registering new user with email: {}", registrationRequest.getEmail()); - - Map userRepresentation = new HashMap<>(); - userRepresentation.put("username", registrationRequest.getEmail()); - userRepresentation.put("email", registrationRequest.getEmail()); - userRepresentation.put("firstName", registrationRequest.getFirstName()); - userRepresentation.put("lastName", registrationRequest.getLastName()); - userRepresentation.put("enabled", true); - userRepresentation.put("emailVerified", false); // Initially false - - Map credential = new HashMap<>(); - credential.put("type", "password"); - credential.put("value", registrationRequest.getPassword()); - credential.put("temporary", false); - userRepresentation.put("credentials", Collections.singletonList(credential)); - - // Tell Keycloak to initiate email verification, - // we may implement our email verification on future. - userRepresentation.put("requiredActions", Collections.singletonList("VERIFY_EMAIL")); - - return this.keycloakAdminClient.getAdminAccessToken() - .flatMap(adminToken -> this.webClient.post().uri(getUsersAdminEndpoint()) - .header(HttpHeaders.AUTHORIZATION, "Bearer " + adminToken) - .contentType(MediaType.APPLICATION_JSON).bodyValue(userRepresentation) - .exchangeToMono(response -> { - if (response.statusCode().is2xxSuccessful()) { - log.info( - "User {} created successfully in Keycloak." - + " Keycloak will handle email verification.", - registrationRequest.getEmail()); - return Mono.empty(); // Successfully initiated - } else if (response.statusCode() == HttpStatus.CONFLICT) { - log.warn( - "User registration failed for {}:" - + " User already exists (Conflict).", - registrationRequest.getEmail()); - return response.bodyToMono(String.class) - .flatMap(errorBody -> Mono.error( - new UserAlreadyExistsException("User with email " - + registrationRequest.getEmail() - + " already exists."))); - } else { - return response.bodyToMono(String.class).flatMap(errorBody -> { - log.error("Keycloak user creation failed for {}" - + " with status {}: {}", - registrationRequest.getEmail(), response.statusCode(), - errorBody); - return Mono.error(new RegistrationException( - "User registration failed due to Keycloak error." - + " Status: " + response.statusCode())); - }); - } - })) - .doOnError(WebClientResponseException.class, e -> { - if (e.getStatusCode() == HttpStatus.CONFLICT) { - // Already handled by exchangeToMono, but good to log if it somehow gets - // here - log.warn( - "User registration conflict " - + "(WebClientResponseException) for {}: {}", - registrationRequest.getEmail(), e.getMessage()); - } else { - log.error("WebClientResponseException during user registration for {}: {}", - registrationRequest.getEmail(), e.getMessage()); - } - }) - .doOnError( - e -> !(e instanceof UserAlreadyExistsException - || e instanceof RegistrationException), - e -> log.error("Generic error during user registration for {}: {}", - registrationRequest.getEmail(), e.getMessage())) - .then(); + return this.keycloakAdminClient.registerUser(registrationRequest); } @Override @@ -327,11 +243,11 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { error.getMessage())) .onErrorResume(PermissionCheckException.class, e -> Mono.just(false)); } - - + + @Override public Mono createOrganization(CreateOrganizationRequest request) { - KeycloakOrganizationRepresentation newOrg = new KeycloakOrganizationRepresentation(); + OrganizationRepresentation newOrg = new OrganizationRepresentation(); newOrg.setName(request.getName()); newOrg.setDescription(request.getDescription()); newOrg.setAttributes(request.getAttributes()); @@ -339,25 +255,29 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { if (request.getDomains() != null) { Set domainRepresentations = request.getDomains() - .stream() - .map(domainName -> new OrganizationDomainRepresentation(domainName, false)) - .collect(Collectors.toSet()); - newOrg.setDomains(domainRepresentations); + .stream() + .map(domainName -> { + final var domain = new OrganizationDomainRepresentation(domainName); + domain.setVerified(false); + return domain; + }) + .collect(Collectors.toSet()); + domainRepresentations.forEach(newOrg::addDomain); } return this.keycloakAdminClient.createOrganization(newOrg) - .map(this::toOrganizationResponse); + .map(this::toOrganizationResponse); } @Override public Mono> getOrganizations() { return this.keycloakAdminClient.getOrganizations().map(orgList -> orgList.stream() - .map(this::toOrganizationResponse).collect(Collectors.toList())); + .map(this::toOrganizationResponse).collect(Collectors.toList())); } @Override public Mono getOrganizationById(String orgId) { return this.keycloakAdminClient.getOrganizationById(orgId) - .map(this::toOrganizationResponse); + .map(this::toOrganizationResponse); } @Override @@ -370,10 +290,17 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { // Update domains based on the new list of names if (request.getDomains() != null) { Set domainRepresentations = request.getDomains() - .stream() - .map(domainName -> new OrganizationDomainRepresentation(domainName, false)) - .collect(Collectors.toSet()); - existingOrg.setDomains(domainRepresentations); + .stream() + .map(domainName -> { + final var domain = new OrganizationDomainRepresentation(domainName); + domain.setVerified(false); + return domain; + }) + .collect(Collectors.toSet()); + if (existingOrg.getDomains() != null) { + existingOrg.getDomains().clear(); + } + domainRepresentations.forEach(existingOrg::addDomain); } return this.keycloakAdminClient.updateOrganization(orgId, existingOrg); }); @@ -397,7 +324,7 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { @Override public Mono> getOrganizationMembers(String orgId) { return this.keycloakAdminClient.getOrganizationMembers(orgId).map(userList -> userList - .stream().map(this::toOrganizationMemberResponse).collect(Collectors.toList())); + .stream().map(this::toOrganizationMemberResponse).collect(Collectors.toList())); } @Override @@ -411,15 +338,16 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { } @Override - public Mono createSubGroup(final String parentGroupId, - final CreateGroupRequest request) { - KeycloakGroupRepresentation newGroup = new KeycloakGroupRepresentation(); + public Mono createSubGroup( + final String parentGroupId, final CreateGroupRequest request + ) { + GroupRepresentation newGroup = new GroupRepresentation(); newGroup.setName(request.getName()); newGroup.setAttributes(request.getAttributes()); - + return this.keycloakAdminClient.createSubGroup(parentGroupId, newGroup) - .thenReturn(new GroupResponse(null, request.getName(), - null, null, request.getAttributes())); + .thenReturn(new GroupResponse(null, request.getName(), + null, null, request.getAttributes())); } @Override @@ -430,14 +358,14 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { @Override public Mono> listSubGroups(final String parentGroupId) { return this.keycloakAdminClient.listSubGroups(parentGroupId) - .map(groupList -> groupList.stream() - .map(this::toGroupResponse) - .collect(Collectors.toList())); + .map(groupList -> groupList.stream() + .map(this::toGroupResponse) + .collect(Collectors.toList())); } @Override public Mono updateGroup(final String groupId, final UpdateGroupRequest request) { - KeycloakGroupRepresentation groupUpdate = new KeycloakGroupRepresentation(); + final var groupUpdate = new GroupRepresentation(); groupUpdate.setAttributes(request.getAttributes()); return this.keycloakAdminClient.updateGroup(groupId, groupUpdate); } @@ -446,18 +374,18 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { public Mono deleteGroup(final String groupId) { return this.keycloakAdminClient.deleteGroup(groupId); } - + @Override public Mono addMemberToGroup(final String groupId, final String userId) { return this.keycloakAdminClient.addMemberToGroup(groupId, userId); } - + @Override public Mono> getGroupMembers(final String groupId) { return this.keycloakAdminClient.getGroupMembers(groupId) - .map(userList -> userList.stream() - .map(this::toOrganizationMemberResponse) - .collect(Collectors.toList())); + .map(userList -> userList.stream() + .map(this::toOrganizationMemberResponse) + .collect(Collectors.toList())); } @Override @@ -466,39 +394,39 @@ public class KeycloakIdentityManagerService implements IdentityManagerService { } // --- Add DTO Mapper for Group --- - private GroupResponse toGroupResponse(final KeycloakGroupRepresentation keycloakGroup) { + private GroupResponse toGroupResponse(final GroupRepresentation keycloakGroup) { if (keycloakGroup == null) { return null; } return new GroupResponse( - keycloakGroup.getId(), - keycloakGroup.getName(), - keycloakGroup.getPath(), - keycloakGroup.getDescription(), - keycloakGroup.getAttributes() + keycloakGroup.getId(), + keycloakGroup.getName(), + keycloakGroup.getPath(), + keycloakGroup.getDescription(), + keycloakGroup.getAttributes() ); } - + // --- DTO Mapper Helper Methods --- private OrganizationResponse toOrganizationResponse( - KeycloakOrganizationRepresentation keycloakOrg) { + OrganizationRepresentation keycloakOrg) { if (keycloakOrg == null) { return null; } return new OrganizationResponse(keycloakOrg.getId(), keycloakOrg.getName(), - keycloakOrg.getDomains(), keycloakOrg.getDescription(), keycloakOrg.getEnabled(), - keycloakOrg.getAttributes()); + keycloakOrg.getDomains(), keycloakOrg.getDescription(), keycloakOrg.isEnabled(), + keycloakOrg.getAttributes()); } private OrganizationMemberResponse toOrganizationMemberResponse( - KeycloakUserRepresentation keycloakUser) { + UserRepresentation keycloakUser) { if (keycloakUser == null) { return null; } return new OrganizationMemberResponse(keycloakUser.getId(), keycloakUser.getUsername(), - keycloakUser.getFirstName(), keycloakUser.getLastName(), keycloakUser.getEmail(), - keycloakUser.isEnabled()); + keycloakUser.getFirstName(), keycloakUser.getLastName(), keycloakUser.getEmail(), + keycloakUser.isEnabled()); } - + } diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 98d06bd..7f7b362 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -7,7 +7,7 @@ spring: name: auth-service cloud: consul: - host: ${CONSUL_HOST:localhost} + host: ${CONSUL_HOST:127.0.0.1} port: ${CONSUL_PORT:8500} config: import-check: @@ -15,8 +15,8 @@ spring: # Keycloak Configuration (adjust values as needed) keycloak: - keycloak-host: ${KEYCLOAK_AUTH_SERVER_URL:http://localhost:9100} # Base URL of your Keycloak instance (NO trailing slash) - keycloak-admin-host: ${KEYCLOAK_AUTH_ADMIN_SERVER_URL:http://localhost:9100} # Base URL of your Keycloak instance (NO trailing slash) + keycloak-host: ${KEYCLOAK_AUTH_SERVER_URL:http://keycloak.dev.localhost} # Base URL of your Keycloak instance (NO trailing slash) + keycloak-admin-host: ${KEYCLOAK_AUTH_ADMIN_SERVER_URL:http://keycloak.dev.localhost} # Base URL of your Keycloak instance (NO trailing slash) realm: ${KEYCLOAK_AUTH_REALM:clevermicro-dev} # The realm name you are using client-id: ${KEYCLOAK_AUTH_SERVICE_CLIENT:auth-service} # Client ID created in Keycloak for this service client-secret: ${KEYCLOAK_AUTH_SERVICE_SECRET:UJ1sMcWciIRREfjjAGoLHUDynLT4aYdD} # Client Secret from Keycloak (use secrets management!) @@ -34,9 +34,46 @@ auth-service: # Default Keycloak Client ID if no prefix matches (optional) # defaultKeycloakClientId: "general-api-client" +# CleverMicro client +clevermicro: + client: + # rabbitmq + rabbitmq-host: ${RABBITMQ_HOST:localhost} + rabbitmq-port: ${RABBITMQ_PORT:5672} + rabbitmq-username: ${RABBITMQ_USER:springuser} + rabbitmq-password: ${RABBITMQ_PASSWORD:TheCleverWho} + rabbitmq-vhost: ${RABBITMQ_VHOST:/} + # swarm env + swarm-service-id: ${SWARM_SERVICE_ID:auth-service-id} + swarm-task-id=: ${SWARM_TASK_ID:dummy-task-id} + # backpressure + initial-availability: ${MAX_AVAILABILITY:-1} + logging: level: # Set log levels as needed. com.clevermicro.authservice: DEBUG org.springframework.web.client.RestTemplate: DEBUG - reactor.netty.http.client: DEBUG \ No newline at end of file + reactor.netty.http.client: DEBUG + +# Enable prometheus endpoint +management: + endpoint: + prometheus: + access: read_only + web: + exposure: + include: health,prometheus +# OpenTelemetry +otel: + logs: + exporter: otlp + exporter: + otlp: + logs: + endpoint: ${OTLP_LOG_ENDPOINT:http://victorialogs.dev.localhost/insert/opentelemetry/v1/logs} + # for now disable the tracing and metrics exporter + traces: + exporter: none + metrics: + exporter: none \ No newline at end of file diff --git a/src/test/java/com/cleverthis/authservice/OrganizationControllerTest.java b/src/test/java/com/cleverthis/authservice/OrganizationControllerTest.java index 32129a1..c522d30 100644 --- a/src/test/java/com/cleverthis/authservice/OrganizationControllerTest.java +++ b/src/test/java/com/cleverthis/authservice/OrganizationControllerTest.java @@ -5,7 +5,6 @@ import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.when; import com.cleverthis.authservice.controller.OrganizationController; -import com.cleverthis.authservice.dto.keycloakadmin.OrganizationDomainRepresentation; import com.cleverthis.authservice.dto.organization.AddMemberRequest; import com.cleverthis.authservice.dto.organization.CreateOrganizationRequest; import com.cleverthis.authservice.dto.organization.InviteUserRequest; @@ -21,6 +20,7 @@ import java.util.Map; import java.util.Set; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.keycloak.representations.idm.OrganizationDomainRepresentation; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.reactive.WebFluxTest; import org.springframework.context.annotation.Import; @@ -34,7 +34,7 @@ import reactor.core.publisher.Mono; * management, mocking the service layer. */ @WebFluxTest(OrganizationController.class) -@Import(GlobalExceptionHandler.class) +@Import(GlobalExceptionHandler.class) public class OrganizationControllerTest { @Autowired @@ -52,10 +52,10 @@ public class OrganizationControllerTest { @BeforeEach void setUp() { // Create the correct domain representation object - OrganizationDomainRepresentation domain = - new OrganizationDomainRepresentation("test-org.com", true); + final var domain = new OrganizationDomainRepresentation("test-org.com"); + domain.setVerified(true); this.mockOrgResponse = new OrganizationResponse("org-id-123", "test-org", Set.of(domain), - "A test organization", true, Map.of("displayName", List.of("Test Org"))); + "A test organization", true, Map.of("displayName", List.of("Test Org"))); this.mockOrgResponseList = Collections.singletonList(this.mockOrgResponse); } @@ -65,14 +65,14 @@ public class OrganizationControllerTest { @Test void createOrganization_Success_ReturnsCreatedWithBody() { CreateOrganizationRequest request = new CreateOrganizationRequest("test-org", - List.of("test-org.com"), "A test org", null); + List.of("test-org.com"), "A test org", null); when(this.identityManagerService.createOrganization(any(CreateOrganizationRequest.class))) - .thenReturn(Mono.just(this.mockOrgResponse)); + .thenReturn(Mono.just(this.mockOrgResponse)); this.webTestClient.post().uri("/organizations").contentType(MediaType.APPLICATION_JSON) - .bodyValue(request).exchange().expectStatus().isCreated() - .expectBody(OrganizationResponse.class).isEqualTo(this.mockOrgResponse); + .bodyValue(request).exchange().expectStatus().isCreated() + .expectBody(OrganizationResponse.class).isEqualTo(this.mockOrgResponse); } /** @@ -83,7 +83,7 @@ public class OrganizationControllerTest { CreateOrganizationRequest request = new CreateOrganizationRequest("", null, null, null); this.webTestClient.post().uri("/organizations").contentType(MediaType.APPLICATION_JSON) - .bodyValue(request).exchange().expectStatus().isBadRequest(); + .bodyValue(request).exchange().expectStatus().isBadRequest(); } /** @@ -92,10 +92,10 @@ public class OrganizationControllerTest { @Test void getOrganizations_Success_ReturnsListOfOrgs() { when(this.identityManagerService.getOrganizations()) - .thenReturn(Mono.just(this.mockOrgResponseList)); + .thenReturn(Mono.just(this.mockOrgResponseList)); this.webTestClient.get().uri("/organizations").exchange().expectStatus().isOk() - .expectBodyList(OrganizationResponse.class).isEqualTo(this.mockOrgResponseList); + .expectBodyList(OrganizationResponse.class).isEqualTo(this.mockOrgResponseList); } /** @@ -104,11 +104,11 @@ public class OrganizationControllerTest { @Test void getOrganizationById_Exists_ReturnsOrg() { when(this.identityManagerService.getOrganizationById("org-id-123")) - .thenReturn(Mono.just(this.mockOrgResponse)); + .thenReturn(Mono.just(this.mockOrgResponse)); this.webTestClient.get().uri("/organizations/{orgId}", "org-id-123").exchange() - .expectStatus().isOk().expectBody(OrganizationResponse.class) - .isEqualTo(this.mockOrgResponse); + .expectStatus().isOk().expectBody(OrganizationResponse.class) + .isEqualTo(this.mockOrgResponse); } /** @@ -117,10 +117,10 @@ public class OrganizationControllerTest { @Test void getOrganizationById_NotFound_ReturnsNotFound() { when(this.identityManagerService.getOrganizationById("non-existent-id")) - .thenReturn(Mono.error(new ResourceNotFoundException("Organization not found"))); + .thenReturn(Mono.error(new ResourceNotFoundException("Organization not found"))); this.webTestClient.get().uri("/organizations/{orgId}", "non-existent-id").exchange() - .expectStatus().isNotFound(); + .expectStatus().isNotFound(); } /** @@ -129,13 +129,13 @@ public class OrganizationControllerTest { @Test void updateOrganization_Success_ReturnsNoContent() { UpdateOrganizationRequest request = - new UpdateOrganizationRequest(List.of("updated.com"), "Updated desc", null); + new UpdateOrganizationRequest(List.of("updated.com"), "Updated desc", null); when(this.identityManagerService.updateOrganization(eq("org-id-123"), - any(UpdateOrganizationRequest.class))).thenReturn(Mono.empty()); + any(UpdateOrganizationRequest.class))).thenReturn(Mono.empty()); this.webTestClient.put().uri("/organizations/{orgId}", "org-id-123") - .contentType(MediaType.APPLICATION_JSON).bodyValue(request).exchange() - .expectStatus().isNoContent(); + .contentType(MediaType.APPLICATION_JSON).bodyValue(request).exchange() + .expectStatus().isNoContent(); } /** @@ -146,7 +146,7 @@ public class OrganizationControllerTest { when(this.identityManagerService.deleteOrganization("org-id-123")).thenReturn(Mono.empty()); this.webTestClient.delete().uri("/organizations/{orgId}", "org-id-123").exchange() - .expectStatus().isNoContent(); + .expectStatus().isNoContent(); } /** @@ -156,11 +156,11 @@ public class OrganizationControllerTest { void inviteUserToOrganization_Success_ReturnsOk() { InviteUserRequest request = new InviteUserRequest("invite@example.com", "Invited", "User"); when(this.identityManagerService.inviteUserToOrganization(eq("org-id-123"), - any(InviteUserRequest.class))).thenReturn(Mono.empty()); + any(InviteUserRequest.class))).thenReturn(Mono.empty()); this.webTestClient.post().uri("/organizations/{orgId}/invitations", "org-id-123") - .contentType(MediaType.APPLICATION_JSON).bodyValue(request).exchange() - .expectStatus().isOk(); + .contentType(MediaType.APPLICATION_JSON).bodyValue(request).exchange() + .expectStatus().isOk(); } /** @@ -169,14 +169,14 @@ public class OrganizationControllerTest { @Test void getOrganizationMembers_Success_ReturnsListOfMembers() { List members = - List.of(new OrganizationMemberResponse("user-id-1", "test", "Test", "User", - "test@test.com", true)); + List.of(new OrganizationMemberResponse("user-id-1", "test", "Test", "User", + "test@test.com", true)); when(this.identityManagerService.getOrganizationMembers("org-id-123")) - .thenReturn(Mono.just(members)); + .thenReturn(Mono.just(members)); this.webTestClient.get().uri("/organizations/{orgId}/members", "org-id-123").exchange() - .expectStatus().isOk().expectBodyList(OrganizationMemberResponse.class) - .isEqualTo(members); + .expectStatus().isOk().expectBodyList(OrganizationMemberResponse.class) + .isEqualTo(members); } /** @@ -186,11 +186,11 @@ public class OrganizationControllerTest { void addMemberToOrganization_Success_ReturnsNoContent() { AddMemberRequest request = new AddMemberRequest("user-to-add-id"); when(this.identityManagerService.addMemberToOrganization("org-id-123", "user-to-add-id")) - .thenReturn(Mono.empty()); + .thenReturn(Mono.empty()); this.webTestClient.post().uri("/organizations/{orgId}/members", "org-id-123") - .contentType(MediaType.APPLICATION_JSON).bodyValue(request).exchange() - .expectStatus().isNoContent(); + .contentType(MediaType.APPLICATION_JSON).bodyValue(request).exchange() + .expectStatus().isNoContent(); } /** @@ -199,10 +199,10 @@ public class OrganizationControllerTest { @Test void removeMemberFromOrganization_Success_ReturnsNoContent() { when(this.identityManagerService.removeMemberFromOrganization("org-id-123", - "user-to-remove-id")).thenReturn(Mono.empty()); + "user-to-remove-id")).thenReturn(Mono.empty()); this.webTestClient.delete() - .uri("/organizations/{orgId}/members/{userId}", "org-id-123", "user-to-remove-id") - .exchange().expectStatus().isNoContent(); + .uri("/organizations/{orgId}/members/{userId}", "org-id-123", "user-to-remove-id") + .exchange().expectStatus().isNoContent(); } } diff --git a/src/test/java/com/cleverthis/authservice/config/KeycloakClientConfigPropertiesTest.java b/src/test/java/com/cleverthis/authservice/config/KeycloakClientConfigPropertiesTest.java index f077fc6..9ab1896 100644 --- a/src/test/java/com/cleverthis/authservice/config/KeycloakClientConfigPropertiesTest.java +++ b/src/test/java/com/cleverthis/authservice/config/KeycloakClientConfigPropertiesTest.java @@ -3,10 +3,17 @@ package com.cleverthis.authservice.config; import static org.junit.jupiter.api.Assertions.assertEquals; import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.context.properties.EnableConfigurationProperties; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.TestPropertySource; +import org.springframework.test.context.junit.jupiter.SpringExtension; -@SpringBootTest(properties = { +@ExtendWith(SpringExtension.class) +@ContextConfiguration(classes = {KeycloakClientConfigPropertiesTest.class}) +@EnableConfigurationProperties({KeycloakClientConfigProperties.class}) +@TestPropertySource(properties = { "keycloak.keycloak-host=https://keycloak.example.com", "keycloak.keycloak-admin-host=https://keycloak-admin.example.com", "keycloak.realm=cm-test", diff --git a/src/test/java/com/cleverthis/authservice/controller/rabbitmq/AbstractEndpointTest.java b/src/test/java/com/cleverthis/authservice/controller/rabbitmq/AbstractEndpointTest.java new file mode 100644 index 0000000..dbceb82 --- /dev/null +++ b/src/test/java/com/cleverthis/authservice/controller/rabbitmq/AbstractEndpointTest.java @@ -0,0 +1,238 @@ +package com.cleverthis.authservice.controller.rabbitmq; + +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.ArgumentMatchers.argThat; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.ArgumentMatchers.notNull; +import static org.mockito.Mockito.doNothing; +import static org.mockito.Mockito.doReturn; +import static org.mockito.Mockito.doThrow; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointException; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointErrorResponse; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointOkResponse; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointRequest; +import com.cleverthis.clevermicro.client.amqp.CleverMicroAmqpClient; +import com.cleverthis.clevermicro.client.amqp.handler.HandlerContext; +import com.cleverthis.clevermicro.client.amqp.handler.HandlerSubmodule; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.rabbitmq.client.BuiltinExchangeType; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.util.Map; +import java.util.Optional; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.Mockito; + +class AbstractEndpointTest { + private final CleverMicroAmqpClient client = Mockito.mock(CleverMicroAmqpClient.class); + final ObjectMapper objectMapper = Mockito.spy(new ObjectMapper()); + + private class TestEndpoint extends AbstractEndpoint { + + TestEndpoint() throws Exception { + super( + AbstractEndpointTest.this.client, + AbstractEndpointTest.this.objectMapper, + "test-key" + ); + } + + // The throws is needed for mocked object to throw exception during test + @SuppressWarnings("RedundantThrows") + @Override + protected void handleRequest( + final HandlerContext ctx, final EndpointRequest request + ) throws EndpointException { + } + } + + private final HandlerSubmodule handlerSubmodule = Mockito.mock(HandlerSubmodule.class); + + @BeforeEach + void setup() { + when(this.client.getHandlerManager()).thenReturn(this.handlerSubmodule); + } + + @Test + void testInitAndClose() throws Exception { + when(this.client.getHandlerManager().registerHandler( + anyString(), eq(""), eq(1), + notNull(), notNull() + )).thenReturn("test-tag"); + final var testEndpoint = new TestEndpoint(); + verify(this.client.getHandlerManager()).declareExchange( + "cleverthis.clevermicro.auth.endpoints", BuiltinExchangeType.DIRECT + ); + verify(this.client.getHandlerManager()).declareQueue( + "cleverthis.clevermicro.auth.endpoints.test-key", + true, false, false, Map.of() + ); + verify(this.client.getHandlerManager()).bindQueue( + "cleverthis.clevermicro.auth.endpoints.test-key", + "cleverthis.clevermicro.auth.endpoints", + "test-key", Map.of() + ); + + testEndpoint.close(); + verify(this.client.getHandlerManager()).cancelHandler("test-tag"); + } + + @Test + void testHandler() throws Throwable { + final var testEndpoint = Mockito.spy(new TestEndpoint()); + final var handlerContext = Mockito.mock(HandlerContext.class); + + // silent reply method, it will be tested separately + doNothing().when(testEndpoint).reply(eq(handlerContext), notNull()); + + // parse req null + doReturn(null).when(testEndpoint).parseRequest(notNull()); + testEndpoint.handleRabbitMessage(handlerContext); + verify(testEndpoint).reply(eq(handlerContext), argThat(it -> { + final var resp = (EndpointErrorResponse) it; + return resp.getException().equals("cleverthis.clevermicro.bad_request") + && resp.getMessage().equals("Malformed request, cannot be parsed"); + })); + + // path: parse req ok + Mockito.clearInvocations(testEndpoint); + // handle req ok + doReturn(EndpointRequest.builder().build()).when(testEndpoint).parseRequest(notNull()); + doNothing().when(testEndpoint).handleRequest(notNull(), notNull()); + assertDoesNotThrow(() -> testEndpoint.handleRabbitMessage(handlerContext)); + verify(testEndpoint, never()).reply(notNull(), notNull()); + + // handle req endpoint exception + Mockito.clearInvocations(testEndpoint); + doThrow(new EndpointException("test", "message")) + .when(testEndpoint).handleRequest(notNull(), notNull()); + assertDoesNotThrow(() -> testEndpoint.handleRabbitMessage(handlerContext)); + verify(testEndpoint).reply(notNull(), argThat(it -> { + final var resp = (EndpointErrorResponse) it; + return resp.getException().equals("test") + && resp.getMessage().equals("message"); + })); + + // handle req any exception + Mockito.clearInvocations(testEndpoint); + doThrow(new RuntimeException("test")) + .when(testEndpoint).handleRequest(notNull(), notNull()); + assertDoesNotThrow(() -> testEndpoint.handleRabbitMessage(handlerContext)); + verify(testEndpoint).reply(notNull(), argThat(it -> { + final var resp = (EndpointErrorResponse) it; + return resp.getException().equals("cleverthis.clevermicro.server_internal_error"); + })); + } + + @Test + void testParseRequest_SingleStream() throws Exception { + //noinspection resource + final var testEndpoint = new TestEndpoint(); + final var handlerContext = Mockito.mock(HandlerContext.class); + final var inputStream = Mockito.mock(InputStream.class); + + when(handlerContext.getMessageBodySingleStream()).thenReturn(Optional.of(inputStream)); + final var req = EndpointRequest.builder().method("testMethod").build(); + doReturn(req).when(this.objectMapper).readValue(inputStream, EndpointRequest.class); + + final var result = testEndpoint.parseRequest(handlerContext); + assertEquals(req, result); + } + + @Test + void testParseRequest_MultiStream() throws Exception { + //noinspection resource + final var testEndpoint = new TestEndpoint(); + final var handlerContext = Mockito.mock(HandlerContext.class); + final var inputStream = Mockito.mock(InputStream.class); + + when(handlerContext.getMessageBodyMultiStream()).thenReturn(Optional.of( + Map.of("request", inputStream) + )); + final var req = EndpointRequest.builder().method("testMethod").build(); + doReturn(req).when(this.objectMapper).readValue(inputStream, EndpointRequest.class); + + final var result = testEndpoint.parseRequest(handlerContext); + assertEquals(req, result); + } + + @Test + void testReply_SuccessfulSerialization() throws Exception { + //noinspection resource + final var testEndpoint = new TestEndpoint(); + final var handlerContext = Mockito.mock(HandlerContext.class); + final var response = Map.of("key", "value"); + + assertDoesNotThrow(() -> testEndpoint.reply(handlerContext, response)); + verify(handlerContext).finish(""" + { + "key" : "value" + } + """.trim().getBytes(StandardCharsets.UTF_8)); + } + + @Test + void testReply_SerializationFailure() throws Exception { + //noinspection resource + final var testEndpoint = new TestEndpoint(); + final var handlerContext = Mockito.mock(HandlerContext.class); + final var response = mock(EndpointOkResponse.class); + // throw error when accessing fields, causing jackson failed to serialize + when(response.getResult()).thenThrow(new RuntimeException("test")); + + assertDoesNotThrow(() -> testEndpoint.reply(handlerContext, response)); + verify(handlerContext, never()).finish(any()); + verify(handlerContext).refillAvailability(); + } + + @Test + void testReply_ReplyFailure() throws Exception { + //noinspection resource + final var testEndpoint = new TestEndpoint(); + final var handlerContext = Mockito.mock(HandlerContext.class); + final var response = Map.of("key", "value"); + + doThrow(new IOException("Reply error")).when(handlerContext).finish(notNull()); + + assertDoesNotThrow(() -> testEndpoint.reply(handlerContext, response)); + } + + @Test + void testParseRequest_InvalidRequest() throws Exception { + //noinspection resource + final var testEndpoint = new TestEndpoint(); + final var handlerContext = Mockito.mock(HandlerContext.class); + final var inputStream = Mockito.mock(InputStream.class); + + when(handlerContext.getMessageBodySingleStream()).thenReturn(Optional.of(inputStream)); + doThrow(new IOException("test")).when(this.objectMapper) + .readValue(inputStream, EndpointRequest.class); + + final var result = testEndpoint.parseRequest(handlerContext); + assertNull(result); + } + + @Test + void testParseRequest_NoStream() throws Exception { + //noinspection resource + final var testEndpoint = new TestEndpoint(); + final var handlerContext = Mockito.mock(HandlerContext.class); + + when(handlerContext.getMessageBodySingleStream()).thenReturn(Optional.empty()); + when(handlerContext.getMessageBodyMultiStream()).thenReturn(Optional.empty()); + + final var result = testEndpoint.parseRequest(handlerContext); + assertNull(result); + } +} \ No newline at end of file diff --git a/src/test/java/com/cleverthis/authservice/controller/rabbitmq/v1/user/UserEndpointV1Test.java b/src/test/java/com/cleverthis/authservice/controller/rabbitmq/v1/user/UserEndpointV1Test.java new file mode 100644 index 0000000..a184301 --- /dev/null +++ b/src/test/java/com/cleverthis/authservice/controller/rabbitmq/v1/user/UserEndpointV1Test.java @@ -0,0 +1,119 @@ +package com.cleverthis.authservice.controller.rabbitmq.v1.user; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointBadRequestException; +import com.cleverthis.authservice.controller.rabbitmq.exception.EndpointException; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointRequest; +import com.cleverthis.authservice.controller.rabbitmq.model.EndpointResponses; +import com.cleverthis.authservice.service.impl.KeycloakAdminReactiveClient; +import com.cleverthis.clevermicro.client.amqp.CleverMicroAmqpClient; +import com.cleverthis.clevermicro.client.amqp.handler.HandlerContext; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import java.io.IOException; +import java.util.LinkedHashMap; +import java.util.Map; +import java.util.NoSuchElementException; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.keycloak.representations.idm.UserRepresentation; +import reactor.core.publisher.Mono; + +class UserEndpointV1Test { + private final CleverMicroAmqpClient client = mock(); + private final ObjectMapper objectMapper = spy(new ObjectMapper()); + private final KeycloakAdminReactiveClient keycloakAdminClient = mock(); + + private UserEndpointV1 userEndpointV1; + + @BeforeEach + void setup() throws IOException { + when(this.client.getHandlerManager()).thenReturn(mock()); + this.userEndpointV1 = spy(new UserEndpointV1( + this.client, this.objectMapper, this.keycloakAdminClient)); + } + + @Test + void testHandler_MethodNotFound() { + final var req = mock(EndpointRequest.class); + when(req.getMethod()).thenReturn("method that doesn't exist"); + + final var ex = assertThrows(EndpointBadRequestException.class, + () -> this.userEndpointV1.handleRequest(mock(), req)); + + assertEquals("Method not found", ex.getMessage()); + } + + private EndpointRequest createRequest(String method, Map args) { + final String json; + try { + json = this.objectMapper.writerWithDefaultPrettyPrinter().writeValueAsString(args); + } catch (JsonProcessingException e) { + throw new RuntimeException(e); + } + final LinkedHashMap convertedArgs; + try { + convertedArgs = this.objectMapper.readValue(json, new TypeReference<>() { + }); + } catch (JsonProcessingException e) { + throw new RuntimeException(e); + } + return EndpointRequest.builder().method(method).args(convertedArgs).build(); + } + + @Test + void testHandler_QueryUserById() throws Exception { + final var handlerContext = mock(HandlerContext.class); + + // normal path + var req = createRequest("queryUserById", Map.of("id", "test-id")); + final var returnedUser = new UserRepresentation(); + returnedUser.setId("test-id"); + returnedUser.setUsername("test-username"); + when(this.keycloakAdminClient.getUserDetails("test-id")) + .thenReturn(Mono.just(returnedUser)); + + this.userEndpointV1.handleRequest(handlerContext, req); + + verify(handlerContext).finish( + this.objectMapper.writerWithDefaultPrettyPrinter().writeValueAsBytes( + EndpointResponses.ok(returnedUser) + ) + ); + + // missing args + req = createRequest("queryUserById", Map.of("not-id", "test-id")); + { // scope for final copy + final var finalReq = req; + assertThrows(EndpointBadRequestException.class, + () -> this.userEndpointV1.handleRequest(handlerContext, finalReq)); + } + + // invalid args + req = createRequest("queryUserById", Map.of("id", 123)); + { // scope for final copy + final var finalReq = req; + assertThrows(EndpointBadRequestException.class, + () -> this.userEndpointV1.handleRequest(handlerContext, finalReq)); + } + + // user not found + when(this.keycloakAdminClient.getUserDetails("test-id")) + .thenReturn(Mono.error(new NoSuchElementException("test exception"))); + req = createRequest("queryUserById", Map.of("id", "test-id")); + { // scope for final copy + final var finalReq = req; + final var ex = assertThrows(EndpointException.class, + () -> this.userEndpointV1.handleRequest(handlerContext, finalReq)); + assertEquals("cleverthis.clevermicro.auth.user_not_found", ex.getEndpointException()); + } + } +} \ No newline at end of file diff --git a/src/test/java/com/cleverthis/authservice/service/impl/FallbackPermissionMapLookupServiceTest.java b/src/test/java/com/cleverthis/authservice/service/impl/FallbackPermissionMapLookupServiceTest.java index c11cd36..5074cbc 100644 --- a/src/test/java/com/cleverthis/authservice/service/impl/FallbackPermissionMapLookupServiceTest.java +++ b/src/test/java/com/cleverthis/authservice/service/impl/FallbackPermissionMapLookupServiceTest.java @@ -55,7 +55,8 @@ class FallbackPermissionMapLookupServiceTest { assertNull(service.getConfig()); // fallback is null // has json content when(value.getDecodedValue()) - .thenReturn(this.objectMapper.writeValueAsString(new PermissionMappingConfigProperties())); + .thenReturn( + this.objectMapper.writeValueAsString(new PermissionMappingConfigProperties())); service.refreshConsul(); assertEquals(new PermissionMappingConfigProperties(), service.getConfig()); } @@ -76,45 +77,22 @@ class FallbackPermissionMapLookupServiceTest { } @Test - void testMatchClientIdByPath() { + void testMatchRuleByPath() { final var defaultConfig = new PermissionMappingConfigProperties(); - defaultConfig.setRules(List.of( - PermissionMappingConfigProperties.Rule.builder() - .keycloakClientId("service-A").pathPrefix("/a/").build(), - PermissionMappingConfigProperties.Rule.builder() - .keycloakClientId("service-B").pathPrefix("/b/").build() - )); + final var ruleA = PermissionMappingConfigProperties.Rule.builder() + .keycloakClientId("service-A").pathPrefix("/a/").build(); + final var ruleB = PermissionMappingConfigProperties.Rule.builder() + .keycloakClientId("service-B").pathPrefix("/b/").build(); + defaultConfig.setRules(List.of(ruleA, ruleB)); final var service = new FallbackPermissionMapLookupService( defaultConfig, this.consulClient, this.objectMapper); assertEquals( - "service-B", - service.matchClientIdByPath("/b/items/123").orElseThrow()); + ruleB, + service.matchRuleByPath("/b/items/123").orElseThrow()); assertEquals( Optional.empty(), - service.matchClientIdByPath("/c/items/123")); + service.matchRuleByPath("/c/items/123")); } - @Test - void testMatchRuleByClientIdAndPath() { - final var defaultConfig = new PermissionMappingConfigProperties(); - defaultConfig.setRules(List.of( - PermissionMappingConfigProperties.Rule.builder() - .keycloakClientId("service-A").pathPrefix("/a/").build(), - PermissionMappingConfigProperties.Rule.builder() - .keycloakClientId("service-B").pathPrefix("/b/").build() - )); - final var service = new FallbackPermissionMapLookupService( - defaultConfig, this.consulClient, this.objectMapper); - - service.matchRuleByClientIdAndPath("service-A", "/a/items/123") - .ifPresentOrElse( - rule -> assertEquals("service-A", rule.getKeycloakClientId()), - () -> Assertions.fail("No rule matched")); - service.matchRuleByClientIdAndPath("service-B", "/a/items/123") - .ifPresentOrElse( - it -> Assertions.fail("Rule matched but should not have"), - () -> {} - ); - } } \ No newline at end of file diff --git a/src/test/java/com/cleverthis/authservice/service/impl/KeycloakAdminClientTest.java b/src/test/java/com/cleverthis/authservice/service/impl/KeycloakAdminClientTest.java deleted file mode 100644 index 232fbbe..0000000 --- a/src/test/java/com/cleverthis/authservice/service/impl/KeycloakAdminClientTest.java +++ /dev/null @@ -1,191 +0,0 @@ -package com.cleverthis.authservice.service.impl; - -import static org.junit.jupiter.api.Assertions.assertEquals; - -import com.cleverthis.authservice.config.KeycloakClientConfigProperties; -import com.cleverthis.authservice.dto.KeycloakRoleRepresentation; -import com.cleverthis.authservice.exception.ServiceUnavailableException; -import java.io.IOException; -import java.util.List; -import okhttp3.mockwebserver.MockResponse; -import okhttp3.mockwebserver.MockWebServer; -import okhttp3.mockwebserver.RecordedRequest; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.mockito.Mockito; -import org.springframework.web.reactive.function.client.WebClient; -import reactor.core.publisher.Mono; -import reactor.test.StepVerifier; - -class KeycloakAdminClientTest { - private MockWebServer mockBackEnd; - - private KeycloakAdminClient adminClient; - - @BeforeEach - void setup() throws IOException { - // isolate requests by creating one mock server per test - this.mockBackEnd = new MockWebServer(); - this.mockBackEnd.start(); - - final var webClient = WebClient.builder().build(); - final var configProperties = KeycloakClientConfigProperties.builder() - .keycloakAdminHost("http://localhost:" + this.mockBackEnd.getPort() + "/") - .realm("test-realm") - .adminAccountUsername("admin") - .adminAccountPassword("admin-password") - .build(); - - this.adminClient = Mockito.spy(new KeycloakAdminClient(webClient, configProperties)); - - } - - @AfterEach - void tearDown() throws IOException { - this.mockBackEnd.shutdown(); - } - - - @Test - void getAdminAccessToken_shouldReturnToken_whenRequestIsSuccessful() - throws InterruptedException { - // Arrange - final var tokenResponse = """ - { - "access_token": "mock-access-token", - "expires_in": 3600 - } - """; - - this.mockBackEnd.enqueue(new MockResponse() - .setBody(tokenResponse) - .addHeader("Content-Type", "application/json") - ); - - // Act - final var result = this.adminClient.getAdminAccessToken(); - - // Assert - StepVerifier.create(result) - .expectNext("mock-access-token") - .verifyComplete(); - - RecordedRequest recordedRequest = this.mockBackEnd.takeRequest(); - assertEquals("/realms/test-realm/protocol/openid-connect/token", recordedRequest.getPath()); - } - - @Test - void getClientInternalId_shouldReturnInternalId_whenClientExists() throws InterruptedException { - // Arrange - final var publicClientId = "test-client"; - final var internalClientId = "mock-internal-id"; - Mockito.when(this.adminClient.getAdminAccessToken()) - .thenReturn(Mono.just("mock-access-token")); - - final var responseBody = """ - [ - { - "id": "mock-internal-id", - "clientId": "test-client" - } - ] - """; - - this.mockBackEnd.enqueue(new MockResponse() - .setBody(responseBody) - .addHeader("Content-Type", "application/json") - ); - - // Act - final var result = this.adminClient.getClientInternalId(publicClientId); - - // Assert - StepVerifier.create(result) - .expectNext(internalClientId) - .verifyComplete(); - RecordedRequest recordedRequest = this.mockBackEnd.takeRequest(); - assertEquals("/admin/realms/test-realm/clients?clientId=test-client&max=1", - recordedRequest.getPath()); - } - - @Test - void getClientInternalId_shouldThrowError_whenClientDoesNotExist() { - // Arrange - final var publicClientId = "nonexistent-client"; - final var responseBody = "[]"; - Mockito.when(this.adminClient.getAdminAccessToken()) - .thenReturn(Mono.just("mock-access-token")); - - this.mockBackEnd.enqueue(new MockResponse() - .setBody(responseBody) - .addHeader("Content-Type", "application/json") - ); - - // Act - final var result = this.adminClient.getClientInternalId(publicClientId); - - // Assert - StepVerifier.create(result) - .expectErrorMatches(throwable -> throwable instanceof ServiceUnavailableException && - throwable.getMessage().contains("Client not found in Keycloak")) - .verify(); - } - - @Test - void getUserEffectiveClientRoles_shouldReturnRoles_whenRequestIsSuccessful() - throws InterruptedException { - // Arrange - final var userId = "test-user"; - final var clientInternalId = "mock-client-id"; - Mockito.when(this.adminClient.getAdminAccessToken()) - .thenReturn(Mono.just("mock-access-token")); - - final var rolesResponse = """ - [ - {"name": "role1"}, - {"name": "role2"} - ] - """; - - this.mockBackEnd.enqueue(new MockResponse() - .setBody(rolesResponse) - .addHeader("Content-Type", "application/json") - ); - - // Act - final var result = this.adminClient.getUserEffectiveClientRoles(userId, clientInternalId); - - // Assert - StepVerifier.create(result) - .expectNextMatches(roles -> roles.stream().map(KeycloakRoleRepresentation::getName) - .toList().containsAll(List.of("role1", "role2"))) - .verifyComplete(); - RecordedRequest recordedRequest = this.mockBackEnd.takeRequest(); - assertEquals( - "/admin/realms/test-realm/users/test-realm/role-mappings/clients/test-user/composite", - recordedRequest.getPath()); - } - - @Test - void getUserEffectiveClientRoles_shouldReturnEmptyList_whenRolesNotFound() { - // Arrange - final var userId = "test-user"; - final var clientInternalId = "mock-client-id"; - Mockito.when(this.adminClient.getAdminAccessToken()) - .thenReturn(Mono.just("mock-access-token")); - - this.mockBackEnd.enqueue(new MockResponse() - .setBody("[]") - .addHeader("Content-Type", "application/json") - ); - - // Act - final var result = this.adminClient.getUserEffectiveClientRoles(userId, clientInternalId); - - // Assert - StepVerifier.create(result) - .expectNextMatches(List::isEmpty) - .verifyComplete(); - } -} \ No newline at end of file diff --git a/src/test/java/com/cleverthis/authservice/service/impl/KeycloakAdminReactiveClientTest.java b/src/test/java/com/cleverthis/authservice/service/impl/KeycloakAdminReactiveClientTest.java new file mode 100644 index 0000000..927c95f --- /dev/null +++ b/src/test/java/com/cleverthis/authservice/service/impl/KeycloakAdminReactiveClientTest.java @@ -0,0 +1,974 @@ +package com.cleverthis.authservice.service.impl; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.argThat; +import static org.mockito.Mockito.doThrow; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import com.cleverthis.authservice.config.KeycloakClientConfigProperties; +import com.cleverthis.authservice.dto.RegistrationRequest; +import com.cleverthis.authservice.dto.keycloakadmin.KeycloakInvitationRequest; +import com.cleverthis.authservice.exception.RegistrationException; +import com.cleverthis.authservice.exception.ServiceUnavailableException; +import com.cleverthis.authservice.exception.UserAlreadyExistsException; +import jakarta.ws.rs.ClientErrorException; +import jakarta.ws.rs.NotFoundException; +import jakarta.ws.rs.ProcessingException; +import jakarta.ws.rs.core.Response; +import java.util.List; +import java.util.NoSuchElementException; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.keycloak.admin.client.Keycloak; +import org.keycloak.admin.client.resource.UserResource; +import org.keycloak.representations.idm.GroupRepresentation; +import org.keycloak.representations.idm.MemberRepresentation; +import org.keycloak.representations.idm.OrganizationRepresentation; +import org.keycloak.representations.idm.UserRepresentation; +import org.mockito.Mockito; + +class KeycloakAdminReactiveClientTest { + private KeycloakAdminReactiveClient adminClient; + private final Keycloak keycloak = mock(Keycloak.class); + + @BeforeEach + void setup() { + when(this.keycloak.realm("test-realm")).thenReturn(mock()); + + when(this.keycloak.realm("test-realm").organizations()).thenReturn(mock()); + when(this.keycloak.realm("test-realm").groups()).thenReturn(mock()); + when(this.keycloak.realm("test-realm").users()).thenReturn(mock()); + + final var configProperties = KeycloakClientConfigProperties.builder() + .realm("test-realm") + .build(); + + this.adminClient = + Mockito.spy(new KeycloakAdminReactiveClient(this.keycloak, configProperties)); + } + + @Test + void testCreateOrganization_Success() { + // Arrange + final var orgToCreate = new OrganizationRepresentation(); + orgToCreate.setId("test-id"); + orgToCreate.setName("Test Organization"); + + final var response = mock(Response.class); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()) + .thenReturn(Response.Status.Family.SUCCESSFUL); + when(response.readEntity(OrganizationRepresentation.class)).thenReturn(orgToCreate); + + when(this.keycloak.realm("test-realm") + .organizations().create(orgToCreate)) + .thenReturn(response); + + // Act + final var result = this.adminClient.createOrganization(orgToCreate).block(); + + // Assert + assertNotNull(result); + assertEquals("Test Organization", result.getName()); + //noinspection resource + verify(this.keycloak.realm("test-realm").organizations()).create(orgToCreate); + } + + @Test + void testCreateOrganization_Failure() { + // Arrange + final var orgToCreate = new OrganizationRepresentation(); + orgToCreate.setId("test-id"); + orgToCreate.setName("Test Organization"); + + final var response = mock(Response.class); + when(response.getStatusInfo()).thenReturn(mock()); + + // keycloak return non-200 + when(response.getStatusInfo().getFamily()) + .thenReturn(Response.Status.Family.CLIENT_ERROR); + when(response.readEntity(String.class)).thenReturn("Error occurred"); + + when( + this.keycloak.realm("test-realm").organizations() + .create(orgToCreate)) + .thenReturn(response); + + // Act & Assert + Assertions.assertThrows(ServiceUnavailableException.class, + () -> this.adminClient.createOrganization(orgToCreate).block()); + + + // client read exception + when(response.getStatusInfo().getFamily()) + .thenReturn(Response.Status.Family.SUCCESSFUL); + when(response.readEntity(OrganizationRepresentation.class)) + .thenThrow(new ProcessingException("test")); + + when( + this.keycloak.realm("test-realm").organizations() + .create(orgToCreate)) + .thenReturn(response); + + // Act & Assert + Assertions.assertThrows(ProcessingException.class, + () -> this.adminClient.createOrganization(orgToCreate).block()); + } + + @Test + void testGetOrganizations_Success() { + // Arrange + final var organization1 = new OrganizationRepresentation(); + organization1.setId("org-1"); + organization1.setName("Organization 1"); + + final var organization2 = new OrganizationRepresentation(); + organization2.setId("org-2"); + organization2.setName("Organization 2"); + + when(this.keycloak.realm("test-realm") + .organizations().list(null, Integer.MAX_VALUE)) + .thenReturn(List.of(organization1, organization2)); + + // Act + final var result = this.adminClient.getOrganizations().block(); + + // Assert + assertNotNull(result); + assertEquals(2, result.size()); + assertEquals("Organization 1", result.get(0).getName()); + assertEquals("Organization 2", result.get(1).getName()); + verify(this.keycloak.realm("test-realm").organizations()).list(null, Integer.MAX_VALUE); + } + + @Test + void testGetOrganizationById_Success() { + // Arrange + final var organization = new OrganizationRepresentation(); + organization.setId("org-1"); + organization.setName("Test Organization"); + + when(this.keycloak.realm("test-realm") + .organizations().get("org-1")) + .thenReturn(mock()); + when(this.keycloak.realm("test-realm") + .organizations().get("org-1").toRepresentation()) + .thenReturn(organization); + + // Act + final var result = this.adminClient.getOrganizationById("org-1").block(); + + // Assert + assertNotNull(result); + assertEquals("org-1", result.getId()); + assertEquals("Test Organization", result.getName()); + verify(this.keycloak.realm("test-realm").organizations().get("org-1")) + .toRepresentation(); + } + + @Test + void testGetOrganizationById_NotFound() { + // Arrange + when(this.keycloak.realm("test-realm") + .organizations().get("non-existing-id")) + .thenReturn(mock()); + when(this.keycloak.realm("test-realm") + .organizations().get("non-existing-id").toRepresentation()) + .thenThrow(new NotFoundException("Organization not found")); + + // Act & Assert + Assertions.assertThrows(NoSuchElementException.class, + () -> this.adminClient.getOrganizationById("non-existing-id").block()); + verify(this.keycloak.realm("test-realm").organizations().get("non-existing-id")) + .toRepresentation(); + } + + @Test + void testUpdateOrganization_Success() { + // Arrange + final var orgId = "org-1"; + final var orgToUpdate = new OrganizationRepresentation(); + orgToUpdate.setId("org-1"); + orgToUpdate.setName("Updated Organization"); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).update(orgToUpdate)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SUCCESSFUL); + + // Act + this.adminClient.updateOrganization(orgId, orgToUpdate).block(); + + // Assert + //noinspection resource + verify(this.keycloak.realm("test-realm").organizations().get(orgId)).update(orgToUpdate); + } + + @Test + void testUpdateOrganization_Failure_ClientError() { + // Arrange + final var orgId = "org-1"; + final var orgToUpdate = new OrganizationRepresentation(); + orgToUpdate.setId("org-1"); + orgToUpdate.setName("Updated Organization"); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).update(orgToUpdate)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.CLIENT_ERROR); + when(response.readEntity(String.class)).thenReturn("Client error occurred"); + + // Act & Assert + Assertions.assertThrows(ServiceUnavailableException.class, + () -> this.adminClient.updateOrganization(orgId, orgToUpdate).block()); + } + + @Test + void testUpdateOrganization_Failure_ProcessingException() { + // Arrange + final var orgId = "org-1"; + final var orgToUpdate = new OrganizationRepresentation(); + orgToUpdate.setId("org-1"); + orgToUpdate.setName("Updated Organization"); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).update(orgToUpdate)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SERVER_ERROR); + when(response.readEntity(String.class)) + .thenThrow(new ProcessingException("Processing error")); + + // Act & Assert + Assertions.assertThrows(ProcessingException.class, + () -> this.adminClient.updateOrganization(orgId, orgToUpdate).block()); + } + + @Test + void testDeleteOrganization_Success() { + // Arrange + final var orgId = "org-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).delete()) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SUCCESSFUL); + + // Act + this.adminClient.deleteOrganization(orgId).block(); + + // Assert + //noinspection resource + verify(this.keycloak.realm("test-realm").organizations().get(orgId)).delete(); + } + + @Test + void testDeleteOrganization_Failure_ClientError() { + // Arrange + final var orgId = "org-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).delete()) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.CLIENT_ERROR); + when(response.readEntity(String.class)).thenReturn("Client error occurred"); + + // Act & Assert + Assertions.assertThrows(ServiceUnavailableException.class, + () -> this.adminClient.deleteOrganization(orgId).block()); + } + + @Test + void testDeleteOrganization_Failure_ServerError() { + // Arrange + final var orgId = "org-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).delete()) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SERVER_ERROR); + when(response.readEntity(String.class)).thenReturn("Server error occurred"); + + // Act & Assert + Assertions.assertThrows(ServiceUnavailableException.class, + () -> this.adminClient.deleteOrganization(orgId).block()); + } + + @Test + void testInviteUserToOrganization_Success() { + // Arrange + final var orgId = "org-1"; + final var invitation = new KeycloakInvitationRequest("test@example.com", "Test", "User"); + final var response = mock(Response.class); + + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .inviteUser(invitation.getEmail(), invitation.getFirstName(), + invitation.getLastName())) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SUCCESSFUL); + + // Act + this.adminClient.inviteUserToOrganization(orgId, invitation).block(); + + // Assert + //noinspection resource + verify(this.keycloak.realm("test-realm").organizations().get(orgId).members()) + .inviteUser(invitation.getEmail(), invitation.getFirstName(), + invitation.getLastName()); + } + + @Test + void testInviteUserToOrganization_Failure_ClientError() { + // Arrange + final var orgId = "org-1"; + final var invitation = new KeycloakInvitationRequest("test@example.com", "Test", "User"); + final var response = mock(Response.class); + + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .inviteUser(invitation.getEmail(), invitation.getFirstName(), + invitation.getLastName())) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.CLIENT_ERROR); + when(response.readEntity(String.class)).thenReturn("Client error occurred"); + + // Act & Assert + Assertions.assertThrows(ServiceUnavailableException.class, + () -> this.adminClient.inviteUserToOrganization(orgId, invitation).block()); + } + + @Test + void testInviteUserToOrganization_Failure_Exception() { + // Arrange + final var orgId = "org-1"; + final var invitation = new KeycloakInvitationRequest("test@example.com", "Test", "User"); + final var response = mock(Response.class); + + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .inviteUser(invitation.getEmail(), invitation.getFirstName(), + invitation.getLastName())) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SERVER_ERROR); + when(response.readEntity(String.class)).thenThrow(new RuntimeException("Unexpected error")); + + // Act & Assert + Assertions.assertThrows(RuntimeException.class, + () -> this.adminClient.inviteUserToOrganization(orgId, invitation).block()); + } + + @Test + void testGetOrganizationMembers_Success() { + // Arrange + final var orgId = "org-1"; + + final var member1 = new MemberRepresentation(); + member1.setId("user-1"); + member1.setUsername("member1"); + + final var member2 = new MemberRepresentation(); + member2.setId("user-2"); + member2.setUsername("member2"); + + when(this.keycloak.realm("test-realm").organizations().get(orgId)) + .thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()) + .thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId) + .members().list(null, Integer.MAX_VALUE)) + .thenReturn(List.of(member1, member2)); + + // Act + final var result = this.adminClient.getOrganizationMembers(orgId).block(); + + // Assert + assertNotNull(result); + assertEquals(2, result.size()); + assertEquals("user-1", result.get(0).getId()); + assertEquals("user-2", result.get(1).getId()); + verify(this.keycloak.realm("test-realm").organizations().get(orgId) + .members()).list(null, Integer.MAX_VALUE); + } + + @Test + void testGetOrganizationMembers_Failure_NotFound() { + // Arrange + final var orgId = "non-existing-org"; + + when(this.keycloak.realm("test-realm").organizations().get(orgId)) + .thenThrow(new NotFoundException("Organization not found")); + + // Act & Assert + Assertions.assertThrows(NoSuchElementException.class, + () -> this.adminClient.getOrganizationMembers(orgId).block()); + verify(this.keycloak.realm("test-realm").organizations()).get(orgId); + } + + @Test + void testAddMemberToOrganization_Success() { + // Arrange + final var orgId = "org-1"; + final var userId = "user-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .addMember(userId)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SUCCESSFUL); + + // Act + this.adminClient.addMemberToOrganization(orgId, userId).block(); + + // Assert + //noinspection resource + verify(this.keycloak.realm("test-realm").organizations().get(orgId).members()) + .addMember(userId); + } + + @Test + void testAddMemberToOrganization_Failure_ClientError() { + // Arrange + final var orgId = "org-1"; + final var userId = "user-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .addMember(userId)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.CLIENT_ERROR); + when(response.readEntity(String.class)).thenReturn("Client error occurred"); + + // Act & Assert + Assertions.assertThrows(ServiceUnavailableException.class, + () -> this.adminClient.addMemberToOrganization(orgId, userId).block()); + } + + @Test + void testAddMemberToOrganization_Failure_UnexpectedException() { + // Arrange + final var orgId = "org-1"; + final var userId = "user-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .addMember(userId)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SERVER_ERROR); + when(response.readEntity(String.class)).thenThrow(new RuntimeException("Unexpected error")); + + // Act & Assert + Assertions.assertThrows(RuntimeException.class, + () -> this.adminClient.addMemberToOrganization(orgId, userId).block()); + } + + @Test + void testRemoveMemberFromOrganization_Success() { + // Arrange + final var orgId = "org-1"; + final var userId = "user-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .removeMember(userId)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SUCCESSFUL); + + // Act + this.adminClient.removeMemberFromOrganization(orgId, userId).block(); + + // Assert + //noinspection resource + verify(this.keycloak.realm("test-realm").organizations().get(orgId).members()) + .removeMember(userId); + } + + @Test + void testRemoveMemberFromOrganization_Failure_ClientError() { + // Arrange + final var orgId = "org-1"; + final var userId = "user-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .removeMember(userId)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.CLIENT_ERROR); + when(response.readEntity(String.class)).thenReturn("Client error occurred"); + + // Act & Assert + Assertions.assertThrows(ServiceUnavailableException.class, + () -> this.adminClient.removeMemberFromOrganization(orgId, userId).block()); + } + + @Test + void testRemoveMemberFromOrganization_Failure_Exception() { + // Arrange + final var orgId = "org-1"; + final var userId = "user-1"; + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").organizations().get(orgId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members()).thenReturn( + mock()); + when(this.keycloak.realm("test-realm").organizations().get(orgId).members() + .removeMember(userId)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SERVER_ERROR); + when(response.readEntity(String.class)).thenThrow(new RuntimeException("Unexpected error")); + + // Act & Assert + Assertions.assertThrows(RuntimeException.class, + () -> this.adminClient.removeMemberFromOrganization(orgId, userId).block()); + } + + @Test + void testCreateSubGroup_Success() { + // Arrange + final var parentGroupId = "parent-group-1"; + final var subGroup = new GroupRepresentation(); + subGroup.setName("Sub Group 1"); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").groups().group(parentGroupId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").groups().group(parentGroupId).subGroup(subGroup)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SUCCESSFUL); + + // Act + this.adminClient.createSubGroup(parentGroupId, subGroup).block(); + + // Assert + //noinspection resource + verify(this.keycloak.realm("test-realm").groups().group(parentGroupId)).subGroup(subGroup); + } + + @Test + void testCreateSubGroup_Failure_ClientError() { + // Arrange + final var parentGroupId = "parent-group-1"; + final var subGroup = new GroupRepresentation(); + subGroup.setName("Sub Group 1"); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").groups().group(parentGroupId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").groups().group(parentGroupId).subGroup(subGroup)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.CLIENT_ERROR); + when(response.readEntity(String.class)).thenReturn("Client error occurred"); + + // Act & Assert + Assertions.assertThrows(ServiceUnavailableException.class, + () -> this.adminClient.createSubGroup(parentGroupId, subGroup).block()); + } + + @Test + void testCreateSubGroup_Failure_Exception() { + // Arrange + final var parentGroupId = "parent-group-1"; + final var subGroup = new GroupRepresentation(); + subGroup.setName("Sub Group 1"); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").groups().group(parentGroupId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").groups().group(parentGroupId).subGroup(subGroup)) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SERVER_ERROR); + when(response.readEntity(String.class)).thenThrow(new RuntimeException("Unexpected error")); + + // Act & Assert + Assertions.assertThrows(RuntimeException.class, + () -> this.adminClient.createSubGroup(parentGroupId, subGroup).block()); + } + + @Test + void testGetGroupById_Success() { + // Arrange + final var groupId = "group-1"; + final var group = new GroupRepresentation(); + group.setId(groupId); + group.setName("Test Group"); + + when(this.keycloak.realm("test-realm").groups().group(groupId)) + .thenReturn(mock()); + when(this.keycloak.realm("test-realm").groups().group(groupId).toRepresentation()) + .thenReturn(group); + + // Act + final var result = this.adminClient.getGroupById(groupId).block(); + + // Assert + assertNotNull(result); + assertEquals("group-1", result.getId()); + assertEquals("Test Group", result.getName()); + verify(this.keycloak.realm("test-realm").groups().group(groupId)).toRepresentation(); + } + + @Test + void testGetGroupById_NotFound() { + // Arrange + final var groupId = "non-existing-group"; + + when(this.keycloak.realm("test-realm").groups().group(groupId)) + .thenReturn(mock()); + when(this.keycloak.realm("test-realm").groups().group(groupId).toRepresentation()) + .thenThrow(new NotFoundException("Group not found")); + + // Act & Assert + Assertions.assertThrows(NoSuchElementException.class, + () -> this.adminClient.getGroupById(groupId).block()); + verify(this.keycloak.realm("test-realm").groups().group(groupId)).toRepresentation(); + } + + @Test + void testListSubGroups_Success() { + // Arrange + final var parentGroupId = "parent-group-1"; + + final var subGroup1 = new GroupRepresentation(); + subGroup1.setId("sub-group-1"); + subGroup1.setName("Sub Group 1"); + + final var subGroup2 = new GroupRepresentation(); + subGroup2.setId("sub-group-2"); + subGroup2.setName("Sub Group 2"); + + when(this.keycloak.realm("test-realm").groups().group(parentGroupId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").groups().group(parentGroupId) + .getSubGroups(null, Integer.MAX_VALUE, false)) + .thenReturn(List.of(subGroup1, subGroup2)); + + // Act + final var result = this.adminClient.listSubGroups(parentGroupId).block(); + + // Assert + assertNotNull(result); + assertEquals(2, result.size()); + assertEquals("sub-group-1", result.get(0).getId()); + assertEquals("sub-group-2", result.get(1).getId()); + verify(this.keycloak.realm("test-realm").groups().group(parentGroupId)) + .getSubGroups(null, Integer.MAX_VALUE, false); + } + + @Test + void testListSubGroups_NotFound() { + // Arrange + final var parentGroupId = "non-existing-group"; + + when(this.keycloak.realm("test-realm").groups().group(parentGroupId)) + .thenThrow(new NotFoundException("Group not found")); + + // Act & Assert + Assertions.assertThrows(NoSuchElementException.class, + () -> this.adminClient.listSubGroups(parentGroupId).block()); + verify(this.keycloak.realm("test-realm").groups()).group(parentGroupId); + } + + @Test + void testUpdateGroup_Success() { + // Arrange + final var groupId = "group-1"; + final var groupToUpdate = new GroupRepresentation(); + groupToUpdate.setId("group-1"); + groupToUpdate.setName("Updated Group"); + + when(this.keycloak.realm("test-realm").groups().group(groupId)).thenReturn(mock()); + + // Act + this.adminClient.updateGroup(groupId, groupToUpdate).block(); + + // Assert + verify(this.keycloak.realm("test-realm").groups().group(groupId)).update(groupToUpdate); + } + + @Test + void testUpdateGroup_NotFound() { + // Arrange + final var groupId = "non-existing-group"; + final var groupToUpdate = new GroupRepresentation(); + groupToUpdate.setId("non-existing-group"); + groupToUpdate.setName("Non-existing Group"); + + when(this.keycloak.realm("test-realm").groups().group(groupId)) + .thenThrow(new NotFoundException("Group not found")); + + // Act & Assert + Assertions.assertThrows(NoSuchElementException.class, + () -> this.adminClient.updateGroup(groupId, groupToUpdate).block()); + verify(this.keycloak.realm("test-realm").groups()).group(groupId); + } + + @Test + void testDeleteGroup_Success() { + // Arrange + final var groupId = "group-1"; + when(this.keycloak.realm("test-realm").groups().group(groupId)).thenReturn(mock()); + + // Act + this.adminClient.deleteGroup(groupId).block(); + + // Assert + verify(this.keycloak.realm("test-realm").groups().group(groupId)).remove(); + } + + @Test + void testDeleteGroup_NotFound() { + // Arrange + final var groupId = "non-existing-group"; + when(this.keycloak.realm("test-realm").groups().group(groupId)) + .thenThrow(new NotFoundException("Group not found")); + + // Act & Assert + Assertions.assertThrows(NoSuchElementException.class, + () -> this.adminClient.deleteGroup(groupId).block()); + verify(this.keycloak.realm("test-realm").groups()).group(groupId); + } + + @Test + void testAddMemberToGroup_Success() { + // Arrange + final var groupId = "group-1"; + final var userId = "user-1"; + + when(this.keycloak.realm("test-realm").users().get(userId)).thenReturn(mock()); + + // Act + this.adminClient.addMemberToGroup(groupId, userId).block(); + + // Assert + verify(this.keycloak.realm("test-realm").users().get(userId)).joinGroup(groupId); + } + + @Test + void testAddMemberToGroup_ClientError() { + // Arrange + final var groupId = "group-1"; + final var userId = "user-1"; + + final var userResource = mock(UserResource.class); + when(this.keycloak.realm("test-realm").users().get(userId)).thenReturn(userResource); + doThrow(new ClientErrorException(404)).when(userResource).joinGroup(groupId); + + // Act & Assert + Assertions.assertThrows(IllegalArgumentException.class, + () -> this.adminClient.addMemberToGroup(groupId, userId).block()); + } + + @Test + void testGetGroupMembers_Success() { + // Arrange + final var groupId = "group-1"; + + final var member1 = new UserRepresentation(); + member1.setId("user-1"); + member1.setUsername("member1"); + + final var member2 = new UserRepresentation(); + member2.setId("user-2"); + member2.setUsername("member2"); + + when(this.keycloak.realm("test-realm").groups().group(groupId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").groups().group(groupId).members()) + .thenReturn(List.of(member1, member2)); + + // Act + final var result = this.adminClient.getGroupMembers(groupId).block(); + + // Assert + assertNotNull(result); + assertEquals(2, result.size()); + assertEquals("user-1", result.get(0).getId()); + assertEquals("user-2", result.get(1).getId()); + verify(this.keycloak.realm("test-realm").groups().group(groupId)).members(); + } + + @Test + void testGetGroupMembers_GroupNotFound() { + // Arrange + final var groupId = "non-existing-group"; + + when(this.keycloak.realm("test-realm").groups().group(groupId)) + .thenThrow(new NotFoundException("Group not found")); + + // Act & Assert + Assertions.assertThrows(NoSuchElementException.class, + () -> this.adminClient.getGroupMembers(groupId).block()); + verify(this.keycloak.realm("test-realm").groups()).group(groupId); + } + + @Test + void testRemoveMemberFromGroup_Success() { + // Arrange + final var groupId = "group-1"; + final var userId = "user-1"; + + when(this.keycloak.realm("test-realm").users().get(userId)).thenReturn(mock()); + + // Act + this.adminClient.removeMemberFromGroup(groupId, userId).block(); + + // Assert + verify(this.keycloak.realm("test-realm").users().get(userId)).leaveGroup(groupId); + } + + @Test + void testRemoveMemberFromGroup_Failure_ClientError() { + // Arrange + final var groupId = "group-1"; + final var userId = "user-1"; + + final var userResource = mock(UserResource.class); + when(this.keycloak.realm("test-realm").users().get(userId)).thenReturn(userResource); + doThrow(new ClientErrorException(404)).when(userResource).leaveGroup(groupId); + + // Act & Assert + Assertions.assertThrows(IllegalArgumentException.class, + () -> this.adminClient.removeMemberFromGroup(groupId, userId).block()); + } + + @Test + void testRegisterUser_Success() { + // Arrange + final var registrationRequest = new RegistrationRequest( + "John", "Doe", "john@example.com", "password123" + ); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").users().create(any(UserRepresentation.class))) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SUCCESSFUL); + + // Act + this.adminClient.registerUser(registrationRequest).block(); + + // Assert + //noinspection resource + verify(this.keycloak.realm("test-realm").users()) + .create(argThat(user -> user.getUsername().equals("john@example.com"))); + } + + @Test + void testRegisterUser_UserAlreadyExists() { + // Arrange + final var registrationRequest = new RegistrationRequest( + "John", "Doe", "john@example.com", "password123" + ); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").users().create(any(UserRepresentation.class))) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.CLIENT_ERROR); + when(response.getStatus()).thenReturn(409); + + // Act & Assert + Assertions.assertThrows(UserAlreadyExistsException.class, + () -> this.adminClient.registerUser(registrationRequest).block()); + } + + @Test + void testRegisterUser_ServerError() { + // Arrange + final var registrationRequest = new RegistrationRequest( + "John", "Doe", "john@example.com", "password123" + ); + + final var response = mock(Response.class); + when(this.keycloak.realm("test-realm").users().create(any(UserRepresentation.class))) + .thenReturn(response); + when(response.getStatusInfo()).thenReturn(mock()); + when(response.getStatusInfo().getFamily()).thenReturn(Response.Status.Family.SERVER_ERROR); + when(response.readEntity(String.class)).thenReturn("Internal Server Error"); + + // Act & Assert + Assertions.assertThrows(RegistrationException.class, + () -> this.adminClient.registerUser(registrationRequest).block()); + } + + @Test + void testGetUserDetails_Success() { + // Arrange + final var userId = "user-1"; + final var userRepresentation = new UserRepresentation(); + userRepresentation.setId(userId); + userRepresentation.setUsername("user1"); + + when(this.keycloak.realm("test-realm").users().get(userId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").users().get(userId).toRepresentation()) + .thenReturn(userRepresentation); + + // Act + final var result = this.adminClient.getUserDetails(userId).block(); + + // Assert + assertNotNull(result); + assertEquals("user-1", result.getId()); + assertEquals("user1", result.getUsername()); + verify(this.keycloak.realm("test-realm").users().get(userId)).toRepresentation(); + } + + @Test + void testGetUserDetails_UserNotFound() { + // Arrange + final var userId = "non-existing-user"; + + when(this.keycloak.realm("test-realm").users().get(userId)).thenReturn(mock()); + when(this.keycloak.realm("test-realm").users().get(userId).toRepresentation()) + .thenThrow(new NotFoundException("User not found")); + + // Act & Assert + Assertions.assertThrows(NoSuchElementException.class, + () -> this.adminClient.getUserDetails(userId).block()); + verify(this.keycloak.realm("test-realm").users().get(userId)).toRepresentation(); + } +} \ No newline at end of file diff --git a/src/test/java/com/cleverthis/authservice/service/impl/KeycloakIdentityManagerServiceTest.java b/src/test/java/com/cleverthis/authservice/service/impl/KeycloakIdentityManagerServiceTest.java index c84fa4a..fc9f76a 100644 --- a/src/test/java/com/cleverthis/authservice/service/impl/KeycloakIdentityManagerServiceTest.java +++ b/src/test/java/com/cleverthis/authservice/service/impl/KeycloakIdentityManagerServiceTest.java @@ -1,28 +1,42 @@ package com.cleverthis.authservice.service.impl; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.ArgumentMatchers.any; import com.cleverthis.authservice.config.KeycloakClientConfigProperties; import com.cleverthis.authservice.dto.TokenResponse; import com.cleverthis.authservice.dto.VerificationResponse; +import com.cleverthis.authservice.dto.group.CreateGroupRequest; +import com.cleverthis.authservice.dto.keycloakadmin.KeycloakInvitationRequest; +import com.cleverthis.authservice.dto.organization.CreateOrganizationRequest; +import com.cleverthis.authservice.dto.organization.InviteUserRequest; +import com.cleverthis.authservice.dto.organization.UpdateOrganizationRequest; import com.cleverthis.authservice.exception.AuthenticationException; import com.cleverthis.authservice.exception.TokenVerificationException; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; +import java.util.List; +import java.util.Map; import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockWebServer; import okhttp3.mockwebserver.RecordedRequest; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.keycloak.representations.idm.GroupRepresentation; +import org.keycloak.representations.idm.MemberRepresentation; +import org.keycloak.representations.idm.OrganizationDomainRepresentation; +import org.keycloak.representations.idm.OrganizationRepresentation; +import org.keycloak.representations.idm.UserRepresentation; import org.mockito.Mockito; import org.springframework.web.reactive.function.client.WebClient; +import reactor.core.publisher.Mono; import reactor.test.StepVerifier; class KeycloakIdentityManagerServiceTest { private MockWebServer mockBackEnd; - private KeycloakAdminClient adminClient; + private KeycloakAdminReactiveClient adminClient; private KeycloakIdentityManagerService service; private final ObjectMapper objectMapper = new ObjectMapper(); @@ -40,7 +54,7 @@ class KeycloakIdentityManagerServiceTest { .clientId("test-client") .clientSecret("client-password") .build(); - this.adminClient = Mockito.mock(KeycloakAdminClient.class); + this.adminClient = Mockito.mock(KeycloakAdminReactiveClient.class); this.service = Mockito.spy(new KeycloakIdentityManagerService( webClient, this.adminClient, configProperties)); @@ -246,4 +260,375 @@ class KeycloakIdentityManagerServiceTest { .expectNext(false) .verifyComplete(); } + + @Test + void createOrganization_success() { + // Arrange + final var request = new CreateOrganizationRequest( + "Test Organization", List.of("test.org"), "", Map.of() + ); + final var mockResponse = new OrganizationRepresentation(); + mockResponse.setId("123"); + mockResponse.setName("Test Organization"); + mockResponse.addDomain(new OrganizationDomainRepresentation("test.org")); + mockResponse.setDescription(""); + mockResponse.setEnabled(true); + + Mockito.when(this.adminClient.createOrganization(any())) + .thenReturn(Mono.just(mockResponse)); + + // Act + final var result = this.service.createOrganization(request); + + // Assert + StepVerifier.create(result) + .expectNextMatches(response -> "123".equals(response.getId()) && + "Test Organization".equals(response.getName())) + .verifyComplete(); + } + + @Test + void getOrganizations_success() { + // Arrange + final var mockOrganizations = List.of( + new OrganizationRepresentation() {{ + setId("org1"); + setName("Organization 1"); + addDomain(new OrganizationDomainRepresentation("domain1.org")); + }}, + new OrganizationRepresentation() {{ + setId("org2"); + setName("Organization 2"); + addDomain(new OrganizationDomainRepresentation("domain2.org")); + }} + ); + + Mockito.when(this.adminClient.getOrganizations()) + .thenReturn(Mono.just(mockOrganizations)); + + // Act + final var result = this.service.getOrganizations(); + + // Assert + StepVerifier.create(result) + .expectNextMatches(orgList -> orgList.size() == 2 + && "Organization 1".equals(orgList.getFirst().getName()) + && "domain1.org".equals( + orgList.getFirst().getDomains().iterator().next().getName()) + && "Organization 2".equals(orgList.get(1).getName())) + .verifyComplete(); + } + + @Test + void getOrganizationById_success() { + // Arrange + final var orgId = "abc123"; + final var orgRepresentation = new OrganizationRepresentation(); + orgRepresentation.setId(orgId); + orgRepresentation.setName("Test Organization"); + orgRepresentation.addDomain(new OrganizationDomainRepresentation("test.org")); + orgRepresentation.setDescription("Test Description"); + orgRepresentation.setEnabled(true); + + Mockito.when(this.adminClient.getOrganizationById(orgId)) + .thenReturn(Mono.just(orgRepresentation)); + + // Act + final var result = this.service.getOrganizationById(orgId); + + // Assert + StepVerifier.create(result) + .expectNextMatches(response -> "abc123".equals(response.getId()) + && "Test Organization".equals(response.getName()) + && "Test Description".equals(response.getDescription()) + && Boolean.TRUE.equals(response.getEnabled()) + && response.getDomains().iterator().next().getName().equals("test.org")) + .verifyComplete(); + } + + @Test + void updateOrganization_success() { + // Arrange + final var orgId = "org123"; + final var updateRequest = new UpdateOrganizationRequest( + List.of("updated.org"), "Updated Description", Map.of("key", List.of("value")) + ); + final var existingOrg = new OrganizationRepresentation(); + existingOrg.setId(orgId); + existingOrg.setDescription("Old Description"); + existingOrg.addDomain(new OrganizationDomainRepresentation("old.org")); + + Mockito.when(this.adminClient.getOrganizationById(orgId)) + .thenReturn(Mono.just(existingOrg)); + Mockito.when(this.adminClient.updateOrganization(orgId, existingOrg)) + .thenReturn(Mono.empty()); + + // Act + final var result = this.service.updateOrganization(orgId, updateRequest); + + // Assert + StepVerifier.create(result) + .verifyComplete(); + + Mockito.verify(this.adminClient).updateOrganization(orgId, existingOrg); + assertEquals("Updated Description", existingOrg.getDescription()); + assertEquals("value", existingOrg.getAttributes().get("key").getFirst()); + assertEquals(1, existingOrg.getDomains().size()); + assertEquals("updated.org", existingOrg.getDomains().iterator().next().getName()); + } + + @Test + void deleteOrganization_success() { + // Arrange + final var orgId = "test-org-id"; + + Mockito.when(this.adminClient.deleteOrganization(orgId)) + .thenReturn(Mono.empty()); + + // Act + final var result = this.service.deleteOrganization(orgId); + + // Assert + StepVerifier.create(result) + .verifyComplete(); + + Mockito.verify(this.adminClient).deleteOrganization(orgId); + } + + @Test + void inviteUserToOrganization_success() { + // Arrange + final var orgId = "test-org-id"; + final var request = new InviteUserRequest("test@example.com", "John", "Wick"); + final var invitationRequest = new KeycloakInvitationRequest(); + invitationRequest.setEmail(request.getEmail()); + invitationRequest.setFirstName(request.getFirstName()); + invitationRequest.setLastName(request.getLastName()); + + Mockito.when(this.adminClient.inviteUserToOrganization(any(), any())) + .thenReturn(Mono.empty()); + + // Act + final var result = this.service.inviteUserToOrganization(orgId, request); + + // Assert + StepVerifier.create(result) + .verifyComplete(); + + Mockito.verify(this.adminClient).inviteUserToOrganization(orgId, invitationRequest); + } + + @Test + void getOrganizationMembers_success() { + // Arrange + final var orgId = "test-org-id"; + final var mockMembers = List.of( + // I asked Gemini, and this is an antipattern that no one mentions + // when I learned Java. Basically, it will create a new anonymous + // class for every instance. In this case, we have two. + // Gemini suggests we use a method to create a user and then put it in the list, + // but a dedicated method is not as compact as double brace initialization. + // This test is generated by gemini 2.5 pro. I think it's ok to use here + // because it's a unit test, and I blame keycloak to not offer a builder. + // DO NOT use this pattern in the main source set. + new MemberRepresentation() {{ + setId("user1"); + setUsername("user1Username"); + setFirstName("User1"); + setLastName("One"); + setEmail("user1@example.com"); + setEnabled(true); + }}, + new MemberRepresentation() {{ + setId("user2"); + setUsername("user2Username"); + setFirstName("User2"); + setLastName("Two"); + setEmail("user2@example.com"); + setEnabled(true); + }} + ); + + Mockito.when(this.adminClient.getOrganizationMembers(orgId)) + .thenReturn(Mono.just(mockMembers)); + + // Act + final var result = this.service.getOrganizationMembers(orgId); + + // Assert + StepVerifier.create(result) + .expectNextMatches(members -> members.size() == 2 + && "user1".equals(members.getFirst().getId()) + && "user1@example.com".equals(members.getFirst().getEmail()) + && "user2".equals(members.get(1).getId()) + && "user2@example.com".equals(members.get(1).getEmail())) + .verifyComplete(); + + Mockito.verify(this.adminClient).getOrganizationMembers(orgId); + } + + @Test + void addMemberToOrganization_success() { + // Arrange + final var orgId = "test-org-id"; + final var userId = "test-user-id"; + + Mockito.when(this.adminClient.addMemberToOrganization(orgId, userId)) + .thenReturn(Mono.empty()); + + // Act + final var result = this.service.addMemberToOrganization(orgId, userId); + + // Assert + StepVerifier.create(result) + .verifyComplete(); + + Mockito.verify(this.adminClient).addMemberToOrganization(orgId, userId); + } + + @Test + void removeMemberFromOrganization_success() { + // Arrange + final var orgId = "test-org-id"; + final var userId = "test-user-id"; + + Mockito.when(this.adminClient.removeMemberFromOrganization(orgId, userId)) + .thenReturn(Mono.empty()); + + // Act + final var result = this.service.removeMemberFromOrganization(orgId, userId); + + // Assert + StepVerifier.create(result) + .verifyComplete(); + + Mockito.verify(this.adminClient).removeMemberFromOrganization(orgId, userId); + } + + @Test + void createSubGroup_success() { + // Arrange + final var parentGroupId = "parent-group-id"; + final var request = new CreateGroupRequest( + "Test SubGroup", "", Map.of("key", List.of("value"))); + final var mockGroupRepresentation = new GroupRepresentation(); + mockGroupRepresentation.setId("sub-group-id"); + mockGroupRepresentation.setName(request.getName()); + mockGroupRepresentation.setAttributes(request.getAttributes()); + + Mockito.when(this.adminClient.createSubGroup(parentGroupId, mockGroupRepresentation)) + .thenReturn(Mono.empty()); + + // Act + final var result = this.service.createSubGroup(parentGroupId, request); + + // Assert + StepVerifier.create(result) + .expectNextMatches(response -> "Test SubGroup".equals(response.getName()) && + response.getAttributes().get("key").contains("value")) + .verifyComplete(); + + Mockito.verify(this.adminClient).createSubGroup(Mockito.eq(parentGroupId), Mockito.any()); + } + + @Test + void getGroupById_success() { + // Arrange + final var groupId = "test-group-id"; + final var mockGroup = new GroupRepresentation(); + mockGroup.setId(groupId); + mockGroup.setName("Test Group"); + mockGroup.setPath("/test-group"); + mockGroup.setDescription("Test Group Description"); + mockGroup.setAttributes(Map.of("key", List.of("value1", "value2"))); + + Mockito.when(this.adminClient.getGroupById(groupId)) + .thenReturn(Mono.just(mockGroup)); + + // Act + final var result = this.service.getGroupById(groupId); + + // Assert + StepVerifier.create(result) + .expectNextMatches(response -> response.getId().equals(groupId) && + response.getName().equals("Test Group") && + response.getPath().equals("/test-group") && + response.getDescription().equals("Test Group Description") && + response.getAttributes().get("key").contains("value1")) + .verifyComplete(); + + Mockito.verify(this.adminClient).getGroupById(groupId); + } + + @Test + void listSubGroups_success() { + // Arrange + final var parentGroupId = "parent-group-id"; + final var subGroups = List.of( + new GroupRepresentation() {{ + setId("sub-group-1"); + setName("SubGroup1"); + }}, + new GroupRepresentation() {{ + setId("sub-group-2"); + setName("SubGroup2"); + }} + ); + + Mockito.when(this.adminClient.listSubGroups(parentGroupId)) + .thenReturn(Mono.just(subGroups)); + + // Act + final var result = this.service.listSubGroups(parentGroupId); + + // Assert + StepVerifier.create(result) + .expectNextMatches(groups -> groups.size() == 2 && + "SubGroup1".equals(groups.getFirst().getName()) && + "sub-group-2".equals(groups.get(1).getId())) + .verifyComplete(); + + Mockito.verify(this.adminClient).listSubGroups(parentGroupId); + } + + @Test + void getGroupMembers_success() { + // Arrange + final var groupId = "test-group-id"; + final var mockMembers = List.of( + new UserRepresentation() {{ + setId("user1"); + setUsername("user1Username"); + setFirstName("User1"); + setLastName("One"); + setEmail("user1@example.com"); + setEnabled(true); + }}, + new UserRepresentation() {{ + setId("user2"); + setUsername("user2Username"); + setFirstName("User2"); + setLastName("Two"); + setEmail("user2@example.com"); + setEnabled(true); + }} + ); + + Mockito.when(this.adminClient.getGroupMembers(groupId)) + .thenReturn(Mono.just(mockMembers)); + + // Act + final var result = this.service.getGroupMembers(groupId); + + // Assert + StepVerifier.create(result) + .expectNextMatches(members -> members.size() == 2 + && "user1".equals(members.getFirst().getId()) + && "user1@example.com".equals(members.getFirst().getEmail()) + && "user2".equals(members.get(1).getId()) + && "user2@example.com".equals(members.get(1).getEmail())) + .verifyComplete(); + + Mockito.verify(this.adminClient).getGroupMembers(groupId); + } } \ No newline at end of file diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml new file mode 100644 index 0000000..e44914f --- /dev/null +++ b/src/test/resources/application.yml @@ -0,0 +1,12 @@ +spring: + cloud: + consul: + config: + enabled: false +otel: + logs: + exporter: none + traces: + exporter: none + metrics: + exporter: none \ No newline at end of file