hydra-billing · hydra-billing-robot · Apr 26, 2022 · Apr 25, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+v2.7.3 [unreleased]
+-------------------
+### Features
+- [#651](https://github.com/latera/homs/pull/651) HOMS-414 Add role transfering from keycloak to HOMS.
+
 v2.7.2 [2022-04-01]
 -------------------
 ### Features

diff --git a/README.md b/README.md
@@ -113,6 +113,9 @@ Name | Mapper type | User attribute | Token clain name | Claim JSON type | Add t
 `email` | `User Attribute` | `email` | `email` | string | On | On | On | Off | Off 
 `last_name` | `User Attribute` | `last_name` | `last_name` | string | On | On | On | Off | Off 
 `name` | `User Attribute` | `name` | `name` | string | On | On | On | Off | Off 
+`role*` | `User Attribute` | `role` | `role` | string | On | On | On | Off | Off 
+
+`*` attribure `role` must be `admin` or `user`
 
 3. Add to HOMS config file `homs_configuration.yml`:
 ```

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -6,6 +6,10 @@ class ApplicationController < ActionController::Base
   self.hbw_available = false
   helper_method :hbw_available?
 
+  include Dry::Monads[:result]
+  include Dry::Monads::Do.for(:keycloak_user)
+  include KeycloakUtils
+
   before_action -> { ENV['DISABLE_PRY'] = nil }
 
   def authenticate_user!
@@ -24,9 +28,10 @@ def authenticate_user!
   protected
 
   def keycloak_user(session_state)
-    HOMS.container[:keycloak_client].access_token(session_state).fmap do |access_token|
-      User.from_keycloak(access_token)
-    end
+    access_token = yield HOMS.container[:keycloak_client].access_token(session_state)
+    validated_user_data = yield validate_user_data(access_token)
+
+    Success(User.from_keycloak(validated_user_data))
   end
 
   def use_keycloak?

diff --git a/app/controllers/concerns/http_authentication.rb b/app/controllers/concerns/http_authentication.rb
@@ -62,7 +62,10 @@ def basic_authenticate(realm)
   private
 
   def sign_in_by_token(token)
-    user = User.from_keycloak(::Hydra::Keycloak::Token.new(token))
+    user = validate_user_data(::Hydra::Keycloak::Token.new(token)).bind do |validated_user_data|
+      User.from_keycloak(validated_user_data)
+    end
+    raise(Unauthorized) if user.respond_to?(:failure?) && user.failure?
 
     HOMS.container[:cef_logger].log_user_event(:login, {id: user.id, email: user.email}, request.headers)
     sign_in(user)

diff --git a/app/controllers/concerns/keycloak_utils.rb b/app/controllers/concerns/keycloak_utils.rb
@@ -0,0 +1,26 @@
+module KeycloakUtils
+  extend ActiveSupport::Concern
+
+  Dry::Schema.load_extensions(:monads)
+
+  UserDataSchema = Dry::Schema.JSON do
+    required(:email).filled(:string)
+    required(:name).filled(:string)
+    optional(:last_name).filled(:string)
+    optional(:company).filled(:string)
+    optional(:department).filled(:string)
+    required(:role).filled(:string)
+  end
+
+  def validate_user_data(user_data)
+    UserDataSchema.call(
+      email:      user_data[:email],
+      name:       user_data[:name],
+      last_name:  user_data[:last_name],
+      company:    user_data[:company],
+      department: user_data[:department],
+      role:       user_data[:role]
+    )
+                  .to_monad
+  end
+end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -57,7 +57,13 @@ def authenticate_by_keycloak
       }
       HOMS.container[:cef_logger].log_user_event(:failed_login, user_data, headers)
 
-      flash[:error] = t("devise.failure.#{user.failure[:code]}")
+      flash[:error] = case user.failure
+                      in ::Dry::Schema::Result
+                        t('devise.failure.user_attributes_error', message: user.failure.errors.to_h)
+                      else
+                        t("devise.failure.#{user.failure[:code]}")
+                      end
+
       redirect_to new_user_session_url
     end
   end

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -27,14 +27,18 @@ def empty
     end
 
     def from_keycloak(user_data)
-      where(email: user_data[:email]).first_or_create do |user|
-        user.email = user_data[:email]
-        user.name = user_data[:name]
-        user.last_name = user_data[:last_name] || '-'
-        user.company = user_data[:company] || '-'
-        user.department = user_data[:department] || '-'
-        user.password = Devise.friendly_token
+      user = where(email: user_data[:email]).first_or_create do |new_user|
+        new_user.email = user_data[:email]
+        new_user.name = user_data[:name]
+        new_user.last_name = user_data[:last_name] || '-'
+        new_user.company = user_data[:company] || '-'
+        new_user.department = user_data[:department] || '-'
+        new_user.password = Devise.friendly_token
+        new_user.role = user_data[:role]
       end
+
+      user.update_attribute(:role, user_data[:role])
+      user
     end
   end
 

diff --git a/config/locales/devise.en.yml b/config/locales/devise.en.yml
@@ -21,6 +21,7 @@ en:
       bad_keycloak_response: Error while Keycloak request
       keycloak_unavailable: Keycloak unavailable
       json_parser_error: Error while Keycloak parse Keycloak data
+      user_attributes_error: 'Wrong user attributes: %{message}'
     mailer:
       confirmation_instructions:
         subject: Confirm your email

diff --git a/hbw/app/controllers/hbw/tasks_controller.rb b/hbw/app/controllers/hbw/tasks_controller.rb
@@ -4,6 +4,7 @@ module HBW
   class TasksController < ApiController
     include Minio
     extend Minio::Mixin
+    include KeycloakUtils
 
     inject['minio_adapter']