Grant API-mapped team members admin privileges

H2-invent · Nov 15, 2024 · fca64b0 · fca64b0
1 parent 5aea0bf
commit fca64b0
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/.env b/.env
@@ -82,3 +82,4 @@ GROUP_API_URI=http://localhost
 GROUP_API_KEY=CHANGEME
 GROUP_API_ROLES=CHANGEME,CHANGEME,...
 GROUP_API_USER_ID=CHANGEME
+GROUP_API_GRANT_ADMIN=false
diff --git a/config/services.yaml b/config/services.yaml
@@ -17,6 +17,7 @@ parameters:
     superAdminRole: '%env(superAdminRole)%'
     group_api_user_id: '%env(default::GROUP_API_USER_ID)%'
     group_api_roles: '%env(default::csv:GROUP_API_ROLES)%'
+    group_api_grant_admin: '%env(bool:default::GROUP_API_GRANT_ADMIN)%'
 services:
     # default configuration for services in *this* file
     _defaults:
@@ -64,3 +65,4 @@ services:
         arguments:
             $groupApiUserId: '%group_api_user_id%'
             $groupApiRoles: '%group_api_roles%'
+            $groupApiGrantAdmin: '%group_api_grant_admin%'
diff --git a/src/Security/KeycloakAuthenticator.php b/src/Security/KeycloakAuthenticator.php
@@ -36,6 +36,7 @@ class KeycloakAuthenticator extends OAuth2Authenticator implements Authenticatio
     public function __construct(
         private readonly ?string                $groupApiUserId,
         private readonly ?array                 $groupApiRoles,
+        private readonly bool                   $groupApiGrantAdmin,
         private readonly LoggerInterface        $logger,
         private readonly ParameterBagInterface  $parameterBag,
         private readonly TokenStorageInterface  $tokenStorage,
@@ -204,6 +205,10 @@ private function persistUser(User $user, ResourceOwnerInterface $keycloakUser):
                     $teams = $this->syncApiGroups($keycloakUser);
                     foreach ($teams as $team) {
                         $user->addTeam($team);
+                        if ($this->groupApiGrantAdmin) {
+                            $team->addAdmin($user);
+                            $this->em->persist($team);
+                        }
                     }
                     break;
             }
@@ -214,6 +219,10 @@ private function persistUser(User $user, ResourceOwnerInterface $keycloakUser):
         return $user;
     }
 
+    /**
+     * @param ResourceOwnerInterface $keycloakUser
+     * @return Collection<Team>
+     */
     private function syncApiGroups(ResourceOwnerInterface $keycloakUser): Collection {
         try {
             $userId = $keycloakUser->toArray()[$this->groupApiUserId];