feat: implement connect functionality and rewrite the project

Author: anonrig

package.json

@@ -45,12 +45,14 @@
   "dependencies": {
     "axios": "^0.19.2",
     "keycloak-admin": "^1.13.0",
+    "keycloak-connect": "^10.0.2",
     "openid-client": "^3.15.3"
   },
   "devDependencies": {
     "@commitlint/cli": "^8.3.5",
     "@commitlint/config-conventional": "^8.3.4",
     "@nestjs/common": "^7.1.3",
+    "@nestjs/core": "^7.2.0",
     "@semantic-release/changelog": "^5.0.1",
     "@semantic-release/commit-analyzer": "^8.0.1",
     "@semantic-release/git": "^9.0.0",

readme.md

@@ -21,6 +21,10 @@ Then on your app.module.ts
         }),
         inject: [ConfigService]
       }),
+    ],
+    providers: [
+      { provide: APP_GUARD, useClass: AuthGuard },
+      { provide: APP_GUARD, useClass: ResourceGuard }  
     ]
   })
 ```
@@ -30,21 +34,66 @@ Then on your app.module.ts
 By default nestjs-keycloak-admin supports User Managed Access for managing your resources.
 
 ```typescript
-class Organization() {
+@Controller()
+@DefineResource('organization')
+class OrganizationController() {
   constructor(private readonly adminProvider: KeycloakAdminService) {}
 
-  async findAll(): UMAResource[] {
-    return this.adminProvider.resourceManager.findAll()
+  @Get('/hello')
+  @Public()
+  hello(): string {
+    return 'life is short'
   }
 
-  async create(payload: payload): Promise<UMAResource> {
-    const resource = new UMAResource(payload)
+  @Get('/)
+  @FetchResources()
+  findAll(@Request('resources'): Resource[]): Resource[] {
+    return resources
+  }
+
+  @Get('/:id')
+  @DefineScope('read') // this will check organization:read permission
+  @DefineResourceEnforcer({
+    id: (req: any) => req.params.id
+  })
+  findOne(@Request('resource'): Resource): Resource) {
+    return resource
+  }
+
+  @Get('/slug/:slug')
+  @DefineScope('read')
+  @DefineResourceEnforcer({
+    id: async (req: any, context: ExecutionContext) => {
+      const class = context.getClass<OrganizationController>()
+      const org = await class.typeormProvider.findBySlug(req.params.slug)
+      return org.keycloakId
+    }
+  })
+  findBySlug(@Request('resource'): Resource): Resource) {
+    return resource
+  }
+
+  @Post('/')
+  @DefineScope('create')
+  async create((): Promise<Resource> {
+    let resource = new Resource({
+      name: 'resource',
+      displayName: 'My Resource'
+    })
       .setOwner(1)
-      .addScope('organization:create')
-      .setType('organization')
+      .addScopes([new Scope('organization:read'), new Scope('organization:write')])
+      .setType('urn:resource-server:type:organization')
       .setUri('/organization/123')
+      .setAttributes({
+        valid: true,
+        types: ['customer', 'any']
+      })
+
+    resource = await this.adminProvider.create(resource)
+
+    // create organization on your resource server and add link to resource.id, to access it later.
 
-    return this.adminProvider.create(resource)
+    return resource 
   }
 }
 ```

src/interfaces.ts renamed to src/@types/package.ts

@@ -23,19 +23,3 @@ export interface KeycloakAdminOptions {
   config: KeycloakAdminConfig
   credentials: Credentials
 }
-
-export interface UMAScopeOptions {
-  name: string
-  id?: string
-  iconUri?: string
-}
-
-export interface UMAResourceOptions {
-  name: string
-  id?: string
-  uri?: string
-  type?: string
-  iconUri?: string
-  owner?: string
-  scopes?: string[] | UMAScopeOptions[]
-}

src/@types/resource.ts

@@ -0,0 +1,10 @@
+export interface ResourceOwner {
+  id: string
+}
+
+export interface ResourceQuery {
+  scope?: string
+  type?: string
+  uri?: string
+  name?: string
+}

src/@types/uma.ticket.ts

@@ -0,0 +1,23 @@
+export interface TicketForm {
+  token: string
+  audience: string
+  grant_type?: string
+  resourceId?: string
+  scope?: string
+  response_mode?: TicketResponseMode
+}
+
+export enum TicketResponseMode {
+  permissions = 'permissions',
+  decision = 'decision',
+}
+
+export interface TicketDecisionResponse {
+  result: boolean
+}
+
+export interface TicketPermissionResponse {
+  scopes: string[]
+  rsid: string
+  rsname: string
+}

src/@types/uma.ts

@@ -0,0 +1,20 @@
+import { ResourceOwner } from './resource'
+
+export interface UMAResource {
+  _id?: string
+  name: string
+  displayName: string
+  uris?: string[]
+  type?: string
+  owner?: ResourceOwner
+  ownerManagedAccess?: boolean
+  attributes: Record<string, any>
+  resource_scopes?: UMAScope[]
+  scopes: UMAScope[]
+}
+
+export interface UMAScope {
+  name: string
+  id?: string
+  icon_uri?: string
+}

src/decorators/fetch.resources.decorator.ts

@@ -0,0 +1,9 @@
+import { SetMetadata, CustomDecorator } from '@nestjs/common'
+
+export const META_FETCH_RESOURCES = 'fetch-resources'
+
+/**
+ * Keycloak resource.
+ * @param resource
+ */
+export const FetchResources = (): CustomDecorator => SetMetadata(META_FETCH_RESOURCES, true)

src/decorators/public.decorator.ts

@@ -0,0 +1,10 @@
+import { SetMetadata, CustomDecorator } from '@nestjs/common'
+
+export const META_PUBLIC = 'public'
+
+/**
+ * Alias for `@Unprotected`.
+ * @since 1.2.0
+ */
+
+export const Public = (): CustomDecorator => SetMetadata(META_PUBLIC, true)

src/decorators/resource.decorator.ts

@@ -0,0 +1,10 @@
+import { SetMetadata, CustomDecorator } from '@nestjs/common'
+
+export const META_RESOURCE = 'resource'
+
+/**
+ * Keycloak resource.
+ * @param resource
+ */
+export const DefineResource = (resource: string): CustomDecorator =>
+  SetMetadata(META_RESOURCE, resource)

src/decorators/resource.enforcer.decorator.ts

@@ -0,0 +1,18 @@
+import { SetMetadata, CustomDecorator, ExecutionContext } from '@nestjs/common'
+
+export const META_RESOURCE_ENFORCER = 'resource-enforcer'
+
+/**
+ * Keycloak Authorization Scopes.
+ * @param scopes - scopes that are associated with the resource
+ */
+export const DefineResourceEnforcer = (options: ResourceDecoratorOptions): CustomDecorator =>
+  SetMetadata(META_RESOURCE_ENFORCER, options)
+
+export interface ResourceDecoratorOptions {
+  id: ResourceDecoratorReq
+}
+
+export interface ResourceDecoratorReq {
+  (req: Request, context: ExecutionContext): Promise<string> | string
+}

src/decorators/scope.decorator.ts

@@ -0,0 +1,9 @@
+import { SetMetadata, CustomDecorator } from '@nestjs/common'
+
+export const META_SCOPE = 'scope'
+
+/**
+ * Keycloak Authorization Scopes.
+ * @param scopes - scopes that are associated with the resource
+ */
+export const DefineScope = (scope: string): CustomDecorator => SetMetadata(META_SCOPE, scope)

src/guards/auth.guard.ts

@@ -0,0 +1,58 @@
+import {
+  CanActivate,
+  Injectable,
+  ExecutionContext,
+  UnauthorizedException,
+  Logger,
+} from '@nestjs/common'
+import { KeycloakAdminService } from '../service'
+import { Reflector } from '@nestjs/core'
+import { META_PUBLIC } from '../decorators/public.decorator'
+
+@Injectable()
+export class AuthGuard implements CanActivate {
+  private logger = new Logger(AuthGuard.name)
+
+  constructor(
+    private readonly keycloak: KeycloakAdminService,
+    private readonly reflector: Reflector
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    if (this.reflector.get<boolean>(META_PUBLIC, context.getHandler())) {
+      return true
+    }
+
+    const request = context.switchToHttp().getRequest()
+
+    const jwt = this.extractJwt(request.headers)
+
+    try {
+      const result = await this.keycloak.connect.grantManager.validateAccessToken(jwt)
+
+      if (typeof result === 'string') {
+        request.user = await this.keycloak.connect.grantManager.userInfo(jwt)
+        request.accessToken = jwt
+        return true
+      }
+    } catch (error) {
+      this.logger.warn(`Error occurred validating token`, error)
+    }
+
+    throw new UnauthorizedException()
+  }
+
+  private extractJwt({ authorization }: Record<string, string>): string {
+    if (!authorization) {
+      throw new UnauthorizedException()
+    }
+
+    const [type, payload] = authorization.split(' ')
+
+    if (type.toLowerCase() !== 'bearer') {
+      throw new UnauthorizedException()
+    }
+
+    return payload
+  }
+}