@quanticjs/iam-audit 5.10.1

package/dist/controllers/iam-audit.controller.d.ts

@@ -0,0 +1,12 @@
+import { QueryBus } from '@nestjs/cqrs';
+export declare class IamAuditController {
+    private readonly queryBus;
+    constructor(queryBus: QueryBus);
+    listUsers(search: string | undefined, first: string | undefined, max: string | undefined): Promise<any>;
+    getUser(id: string): Promise<any>;
+    listGroups(): Promise<any>;
+    getGroupMembers(id: string, first: string | undefined, max: string | undefined): Promise<any>;
+    listRoles(): Promise<any>;
+    getPermissionMatrix(): Promise<any>;
+    getAuditEvents(first: string | undefined, max: string | undefined): Promise<any>;
+}

package/dist/controllers/iam-audit.controller.js

@@ -0,0 +1,125 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IamAuditController = void 0;
+const common_1 = require("@nestjs/common");
+const cqrs_1 = require("@nestjs/cqrs");
+const swagger_1 = require("@nestjs/swagger");
+const core_1 = require("@quanticjs/core");
+const get_iam_users_query_1 = require("../queries/get-iam-users.query");
+const get_iam_user_detail_query_1 = require("../queries/get-iam-user-detail.query");
+const get_iam_groups_query_1 = require("../queries/get-iam-groups.query");
+const get_iam_group_members_query_1 = require("../queries/get-iam-group-members.query");
+const get_iam_roles_query_1 = require("../queries/get-iam-roles.query");
+const get_permission_matrix_query_1 = require("../queries/get-permission-matrix.query");
+const get_iam_audit_events_query_1 = require("../queries/get-iam-audit-events.query");
+let IamAuditController = class IamAuditController {
+    queryBus;
+    constructor(queryBus) {
+        this.queryBus = queryBus;
+    }
+    async listUsers(search, first, max) {
+        return this.queryBus.execute(new get_iam_users_query_1.GetIamUsersQuery(search, first ? parseInt(first, 10) : undefined, max ? parseInt(max, 10) : undefined));
+    }
+    async getUser(id) {
+        return this.queryBus.execute(new get_iam_user_detail_query_1.GetIamUserDetailQuery(id));
+    }
+    async listGroups() {
+        return this.queryBus.execute(new get_iam_groups_query_1.GetIamGroupsQuery());
+    }
+    async getGroupMembers(id, first, max) {
+        return this.queryBus.execute(new get_iam_group_members_query_1.GetIamGroupMembersQuery(id, first ? parseInt(first, 10) : undefined, max ? parseInt(max, 10) : undefined));
+    }
+    async listRoles() {
+        return this.queryBus.execute(new get_iam_roles_query_1.GetIamRolesQuery());
+    }
+    async getPermissionMatrix() {
+        return this.queryBus.execute(new get_permission_matrix_query_1.GetPermissionMatrixQuery());
+    }
+    async getAuditEvents(first, max) {
+        return this.queryBus.execute(new get_iam_audit_events_query_1.GetIamAuditEventsQuery(first ? parseInt(first, 10) : undefined, max ? parseInt(max, 10) : undefined));
+    }
+};
+exports.IamAuditController = IamAuditController;
+__decorate([
+    (0, common_1.Get)('users'),
+    (0, swagger_1.ApiOperation)({ summary: 'List users with group memberships and permission counts' }),
+    (0, swagger_1.ApiResponse)({ status: 200, description: 'Paginated user list' }),
+    __param(0, (0, common_1.Query)('search')),
+    __param(1, (0, common_1.Query)('first')),
+    __param(2, (0, common_1.Query)('max')),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object, Object]),
+    __metadata("design:returntype", Promise)
+], IamAuditController.prototype, "listUsers", null);
+__decorate([
+    (0, common_1.Get)('users/:id'),
+    (0, swagger_1.ApiOperation)({ summary: 'Get user detail with groups and client roles per app' }),
+    (0, swagger_1.ApiResponse)({ status: 200, description: 'User detail' }),
+    __param(0, (0, common_1.Param)('id')),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String]),
+    __metadata("design:returntype", Promise)
+], IamAuditController.prototype, "getUser", null);
+__decorate([
+    (0, common_1.Get)('groups'),
+    (0, swagger_1.ApiOperation)({ summary: 'List groups with member counts and role assignments' }),
+    (0, swagger_1.ApiResponse)({ status: 200, description: 'Group list' }),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Promise)
+], IamAuditController.prototype, "listGroups", null);
+__decorate([
+    (0, common_1.Get)('groups/:id/members'),
+    (0, swagger_1.ApiOperation)({ summary: 'List members of a group' }),
+    (0, swagger_1.ApiResponse)({ status: 200, description: 'Group member list' }),
+    __param(0, (0, common_1.Param)('id')),
+    __param(1, (0, common_1.Query)('first')),
+    __param(2, (0, common_1.Query)('max')),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, Object, Object]),
+    __metadata("design:returntype", Promise)
+], IamAuditController.prototype, "getGroupMembers", null);
+__decorate([
+    (0, common_1.Get)('roles'),
+    (0, swagger_1.ApiOperation)({ summary: 'List all client roles across all apps' }),
+    (0, swagger_1.ApiResponse)({ status: 200, description: 'Roles by client' }),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Promise)
+], IamAuditController.prototype, "listRoles", null);
+__decorate([
+    (0, common_1.Get)('permissions/matrix'),
+    (0, swagger_1.ApiOperation)({ summary: 'Permission matrix: users x permissions grid' }),
+    (0, swagger_1.ApiResponse)({ status: 200, description: 'Permission matrix' }),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Promise)
+], IamAuditController.prototype, "getPermissionMatrix", null);
+__decorate([
+    (0, common_1.Get)('audit/events'),
+    (0, swagger_1.ApiOperation)({ summary: 'Recent Keycloak admin events' }),
+    (0, swagger_1.ApiResponse)({ status: 200, description: 'Admin event list' }),
+    __param(0, (0, common_1.Query)('first')),
+    __param(1, (0, common_1.Query)('max')),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], IamAuditController.prototype, "getAuditEvents", null);
+exports.IamAuditController = IamAuditController = __decorate([
+    (0, swagger_1.ApiTags)('iam-audit'),
+    (0, core_1.Roles)('admin'),
+    (0, common_1.Controller)('iam'),
+    __metadata("design:paramtypes", [cqrs_1.QueryBus])
+], IamAuditController);

package/dist/dtos/iam-audit.dtos.d.ts

@@ -0,0 +1,74 @@
+export interface IamUserSummaryDto {
+    id: string;
+    username: string;
+    email: string | undefined;
+    firstName: string | undefined;
+    lastName: string | undefined;
+    enabled: boolean;
+    groups: string[];
+    permissionCount: number;
+}
+export interface IamUserDetailDto {
+    id: string;
+    username: string;
+    email: string | undefined;
+    firstName: string | undefined;
+    lastName: string | undefined;
+    enabled: boolean;
+    emailVerified: boolean;
+    createdTimestamp: number | undefined;
+    groups: {
+        id: string;
+        name: string;
+        path: string;
+    }[];
+    clientRoles: {
+        clientId: string;
+        roles: {
+            name: string;
+            description: string | undefined;
+        }[];
+    }[];
+}
+export interface IamGroupSummaryDto {
+    id: string;
+    name: string;
+    path: string;
+    memberCount: number;
+    clientRoles: {
+        clientId: string;
+        roles: string[];
+    }[];
+}
+export interface IamGroupMemberDto {
+    id: string;
+    username: string;
+    email: string | undefined;
+    firstName: string | undefined;
+    lastName: string | undefined;
+}
+export interface IamClientRolesDto {
+    clientId: string;
+    roles: {
+        name: string;
+        description: string | undefined;
+    }[];
+}
+export interface IamPermissionMatrixDto {
+    permissions: string[];
+    users: {
+        id: string;
+        username: string;
+        displayName: string;
+        grants: string[];
+    }[];
+}
+export interface IamAuditEventDto {
+    time: number;
+    operationType: string;
+    resourceType: string;
+    resourcePath: string;
+    userId: string;
+    ipAddress: string;
+    clientId: string;
+}

package/dist/dtos/iam-audit.dtos.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/dtos/keycloak-admin.types.d.ts

@@ -0,0 +1,45 @@
+export interface KcUser {
+    id: string;
+    username: string;
+    email?: string;
+    firstName?: string;
+    lastName?: string;
+    enabled: boolean;
+    emailVerified: boolean;
+    createdTimestamp?: number;
+}
+export interface KcGroup {
+    id: string;
+    name: string;
+    path: string;
+    subGroups: KcGroup[];
+}
+export interface KcRole {
+    id: string;
+    name: string;
+    description?: string;
+    composite: boolean;
+    clientRole: boolean;
+    containerId: string;
+}
+export interface KcClient {
+    id: string;
+    clientId: string;
+    name?: string;
+    enabled: boolean;
+}
+export interface KcAdminEvent {
+    time: number;
+    type: string;
+    realmId: string;
+    operationType: string;
+    resourceType: string;
+    resourcePath: string;
+    representation?: string;
+    authDetails: {
+        realmId: string;
+        clientId: string;
+        userId: string;
+        ipAddress: string;
+    };
+}

package/dist/dtos/keycloak-admin.types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/iam-audit.module.d.ts

@@ -0,0 +1,5 @@
+import { DynamicModule } from '@nestjs/common';
+import { IamAuditModuleOptions } from './iam-audit.options';
+export declare class IamAuditModule {
+    static forRoot(options: IamAuditModuleOptions): DynamicModule;
+}

package/dist/iam-audit.module.js

@@ -0,0 +1,49 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var IamAuditModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IamAuditModule = void 0;
+const common_1 = require("@nestjs/common");
+const cqrs_1 = require("@nestjs/cqrs");
+const iam_audit_options_1 = require("./iam-audit.options");
+const keycloak_admin_service_1 = require("./services/keycloak-admin.service");
+const iam_audit_controller_1 = require("./controllers/iam-audit.controller");
+const get_iam_users_handler_1 = require("./queries/get-iam-users.handler");
+const get_iam_user_detail_handler_1 = require("./queries/get-iam-user-detail.handler");
+const get_iam_groups_handler_1 = require("./queries/get-iam-groups.handler");
+const get_iam_group_members_handler_1 = require("./queries/get-iam-group-members.handler");
+const get_iam_roles_handler_1 = require("./queries/get-iam-roles.handler");
+const get_permission_matrix_handler_1 = require("./queries/get-permission-matrix.handler");
+const get_iam_audit_events_handler_1 = require("./queries/get-iam-audit-events.handler");
+const QueryHandlers = [
+    get_iam_users_handler_1.GetIamUsersHandler,
+    get_iam_user_detail_handler_1.GetIamUserDetailHandler,
+    get_iam_groups_handler_1.GetIamGroupsHandler,
+    get_iam_group_members_handler_1.GetIamGroupMembersHandler,
+    get_iam_roles_handler_1.GetIamRolesHandler,
+    get_permission_matrix_handler_1.GetPermissionMatrixHandler,
+    get_iam_audit_events_handler_1.GetIamAuditEventsHandler,
+];
+let IamAuditModule = IamAuditModule_1 = class IamAuditModule {
+    static forRoot(options) {
+        return {
+            module: IamAuditModule_1,
+            imports: [cqrs_1.CqrsModule],
+            controllers: [iam_audit_controller_1.IamAuditController],
+            providers: [
+                { provide: iam_audit_options_1.IAM_AUDIT_OPTIONS, useValue: options },
+                keycloak_admin_service_1.KeycloakAdminService,
+                ...QueryHandlers,
+            ],
+        };
+    }
+};
+exports.IamAuditModule = IamAuditModule;
+exports.IamAuditModule = IamAuditModule = IamAuditModule_1 = __decorate([
+    (0, common_1.Module)({})
+], IamAuditModule);

package/dist/iam-audit.options.d.ts

@@ -0,0 +1,7 @@
+export declare const IAM_AUDIT_OPTIONS: unique symbol;
+export interface IamAuditModuleOptions {
+    /** Keycloak client IDs to audit (e.g., ['delivery-hub-backend', 'quanticflow']) */
+    clients: string[];
+    /** Client used for the user list permission count and permission matrix. Defaults to clients[0]. */
+    primaryClient?: string;
+}

package/dist/iam-audit.options.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IAM_AUDIT_OPTIONS = void 0;
+exports.IAM_AUDIT_OPTIONS = Symbol('IAM_AUDIT_OPTIONS');

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { IamAuditModule } from './iam-audit.module';
+export { IAM_AUDIT_OPTIONS, type IamAuditModuleOptions } from './iam-audit.options';
+export type { IamUserSummaryDto, IamUserDetailDto, IamGroupSummaryDto, IamGroupMemberDto, IamClientRolesDto, IamPermissionMatrixDto, IamAuditEventDto, } from './dtos/iam-audit.dtos';
+export { GetIamUsersQuery } from './queries/get-iam-users.query';
+export { GetIamUserDetailQuery } from './queries/get-iam-user-detail.query';
+export { GetIamGroupsQuery } from './queries/get-iam-groups.query';
+export { GetIamGroupMembersQuery } from './queries/get-iam-group-members.query';
+export { GetIamRolesQuery } from './queries/get-iam-roles.query';
+export { GetPermissionMatrixQuery } from './queries/get-permission-matrix.query';
+export { GetIamAuditEventsQuery } from './queries/get-iam-audit-events.query';

package/dist/index.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamAuditEventsQuery = exports.GetPermissionMatrixQuery = exports.GetIamRolesQuery = exports.GetIamGroupMembersQuery = exports.GetIamGroupsQuery = exports.GetIamUserDetailQuery = exports.GetIamUsersQuery = exports.IAM_AUDIT_OPTIONS = exports.IamAuditModule = void 0;
+var iam_audit_module_1 = require("./iam-audit.module");
+Object.defineProperty(exports, "IamAuditModule", { enumerable: true, get: function () { return iam_audit_module_1.IamAuditModule; } });
+var iam_audit_options_1 = require("./iam-audit.options");
+Object.defineProperty(exports, "IAM_AUDIT_OPTIONS", { enumerable: true, get: function () { return iam_audit_options_1.IAM_AUDIT_OPTIONS; } });
+var get_iam_users_query_1 = require("./queries/get-iam-users.query");
+Object.defineProperty(exports, "GetIamUsersQuery", { enumerable: true, get: function () { return get_iam_users_query_1.GetIamUsersQuery; } });
+var get_iam_user_detail_query_1 = require("./queries/get-iam-user-detail.query");
+Object.defineProperty(exports, "GetIamUserDetailQuery", { enumerable: true, get: function () { return get_iam_user_detail_query_1.GetIamUserDetailQuery; } });
+var get_iam_groups_query_1 = require("./queries/get-iam-groups.query");
+Object.defineProperty(exports, "GetIamGroupsQuery", { enumerable: true, get: function () { return get_iam_groups_query_1.GetIamGroupsQuery; } });
+var get_iam_group_members_query_1 = require("./queries/get-iam-group-members.query");
+Object.defineProperty(exports, "GetIamGroupMembersQuery", { enumerable: true, get: function () { return get_iam_group_members_query_1.GetIamGroupMembersQuery; } });
+var get_iam_roles_query_1 = require("./queries/get-iam-roles.query");
+Object.defineProperty(exports, "GetIamRolesQuery", { enumerable: true, get: function () { return get_iam_roles_query_1.GetIamRolesQuery; } });
+var get_permission_matrix_query_1 = require("./queries/get-permission-matrix.query");
+Object.defineProperty(exports, "GetPermissionMatrixQuery", { enumerable: true, get: function () { return get_permission_matrix_query_1.GetPermissionMatrixQuery; } });
+var get_iam_audit_events_query_1 = require("./queries/get-iam-audit-events.query");
+Object.defineProperty(exports, "GetIamAuditEventsQuery", { enumerable: true, get: function () { return get_iam_audit_events_query_1.GetIamAuditEventsQuery; } });

package/dist/queries/get-iam-audit-events.handler.d.ts

@@ -0,0 +1,12 @@
+import { IQueryHandler } from '@nestjs/cqrs';
+import { Result } from '@quanticjs/core';
+import { GetIamAuditEventsQuery } from './get-iam-audit-events.query';
+import { KeycloakAdminService } from '../services/keycloak-admin.service';
+import { IamAuditEventDto } from '../dtos/iam-audit.dtos';
+export declare class GetIamAuditEventsHandler implements IQueryHandler<GetIamAuditEventsQuery> {
+    private readonly keycloakAdmin;
+    constructor(keycloakAdmin: KeycloakAdminService);
+    execute(query: GetIamAuditEventsQuery): Promise<Result<{
+        data: IamAuditEventDto[];
+    }>>;
+}

package/dist/queries/get-iam-audit-events.handler.js

@@ -0,0 +1,41 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamAuditEventsHandler = void 0;
+const cqrs_1 = require("@nestjs/cqrs");
+const core_1 = require("@quanticjs/core");
+const get_iam_audit_events_query_1 = require("./get-iam-audit-events.query");
+const keycloak_admin_service_1 = require("../services/keycloak-admin.service");
+let GetIamAuditEventsHandler = class GetIamAuditEventsHandler {
+    keycloakAdmin;
+    constructor(keycloakAdmin) {
+        this.keycloakAdmin = keycloakAdmin;
+    }
+    async execute(query) {
+        const events = await this.keycloakAdmin.getAdminEvents(undefined, query.first, query.max);
+        return core_1.Result.success({
+            data: events.map((e) => ({
+                time: e.time,
+                operationType: e.operationType,
+                resourceType: e.resourceType,
+                resourcePath: e.resourcePath,
+                userId: e.authDetails?.userId ?? '',
+                ipAddress: e.authDetails?.ipAddress ?? '',
+                clientId: e.authDetails?.clientId ?? '',
+            })),
+        });
+    }
+};
+exports.GetIamAuditEventsHandler = GetIamAuditEventsHandler;
+exports.GetIamAuditEventsHandler = GetIamAuditEventsHandler = __decorate([
+    (0, cqrs_1.QueryHandler)(get_iam_audit_events_query_1.GetIamAuditEventsQuery),
+    __metadata("design:paramtypes", [keycloak_admin_service_1.KeycloakAdminService])
+], GetIamAuditEventsHandler);

package/dist/queries/get-iam-audit-events.query.d.ts

@@ -0,0 +1,5 @@
+export declare class GetIamAuditEventsQuery {
+    readonly first: number;
+    readonly max: number;
+    constructor(first?: number, max?: number);
+}

package/dist/queries/get-iam-audit-events.query.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamAuditEventsQuery = void 0;
+class GetIamAuditEventsQuery {
+    first;
+    max;
+    constructor(first = 0, max = 50) {
+        this.first = first;
+        this.max = max;
+    }
+}
+exports.GetIamAuditEventsQuery = GetIamAuditEventsQuery;

package/dist/queries/get-iam-group-members.handler.d.ts

@@ -0,0 +1,12 @@
+import { IQueryHandler } from '@nestjs/cqrs';
+import { Result } from '@quanticjs/core';
+import { GetIamGroupMembersQuery } from './get-iam-group-members.query';
+import { KeycloakAdminService } from '../services/keycloak-admin.service';
+import { IamGroupMemberDto } from '../dtos/iam-audit.dtos';
+export declare class GetIamGroupMembersHandler implements IQueryHandler<GetIamGroupMembersQuery> {
+    private readonly keycloakAdmin;
+    constructor(keycloakAdmin: KeycloakAdminService);
+    execute(query: GetIamGroupMembersQuery): Promise<Result<{
+        data: IamGroupMemberDto[];
+    }>>;
+}

package/dist/queries/get-iam-group-members.handler.js

@@ -0,0 +1,39 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamGroupMembersHandler = void 0;
+const cqrs_1 = require("@nestjs/cqrs");
+const core_1 = require("@quanticjs/core");
+const get_iam_group_members_query_1 = require("./get-iam-group-members.query");
+const keycloak_admin_service_1 = require("../services/keycloak-admin.service");
+let GetIamGroupMembersHandler = class GetIamGroupMembersHandler {
+    keycloakAdmin;
+    constructor(keycloakAdmin) {
+        this.keycloakAdmin = keycloakAdmin;
+    }
+    async execute(query) {
+        const members = await this.keycloakAdmin.getGroupMembers(query.groupId, query.first, query.max);
+        return core_1.Result.success({
+            data: members.map((m) => ({
+                id: m.id,
+                username: m.username,
+                email: m.email,
+                firstName: m.firstName,
+                lastName: m.lastName,
+            })),
+        });
+    }
+};
+exports.GetIamGroupMembersHandler = GetIamGroupMembersHandler;
+exports.GetIamGroupMembersHandler = GetIamGroupMembersHandler = __decorate([
+    (0, cqrs_1.QueryHandler)(get_iam_group_members_query_1.GetIamGroupMembersQuery),
+    __metadata("design:paramtypes", [keycloak_admin_service_1.KeycloakAdminService])
+], GetIamGroupMembersHandler);

package/dist/queries/get-iam-group-members.query.d.ts

@@ -0,0 +1,6 @@
+export declare class GetIamGroupMembersQuery {
+    readonly groupId: string;
+    readonly first: number;
+    readonly max: number;
+    constructor(groupId: string, first?: number, max?: number);
+}

package/dist/queries/get-iam-group-members.query.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamGroupMembersQuery = void 0;
+class GetIamGroupMembersQuery {
+    groupId;
+    first;
+    max;
+    constructor(groupId, first = 0, max = 100) {
+        this.groupId = groupId;
+        this.first = first;
+        this.max = max;
+    }
+}
+exports.GetIamGroupMembersQuery = GetIamGroupMembersQuery;

package/dist/queries/get-iam-groups.handler.d.ts

@@ -0,0 +1,14 @@
+import { IQueryHandler } from '@nestjs/cqrs';
+import { Result } from '@quanticjs/core';
+import { GetIamGroupsQuery } from './get-iam-groups.query';
+import { KeycloakAdminService } from '../services/keycloak-admin.service';
+import { IamAuditModuleOptions } from '../iam-audit.options';
+import { IamGroupSummaryDto } from '../dtos/iam-audit.dtos';
+export declare class GetIamGroupsHandler implements IQueryHandler<GetIamGroupsQuery> {
+    private readonly keycloakAdmin;
+    private readonly options;
+    constructor(keycloakAdmin: KeycloakAdminService, options: IamAuditModuleOptions);
+    execute(_query: GetIamGroupsQuery): Promise<Result<{
+        data: IamGroupSummaryDto[];
+    }>>;
+}

package/dist/queries/get-iam-groups.handler.js

@@ -0,0 +1,60 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamGroupsHandler = void 0;
+const common_1 = require("@nestjs/common");
+const cqrs_1 = require("@nestjs/cqrs");
+const core_1 = require("@quanticjs/core");
+const get_iam_groups_query_1 = require("./get-iam-groups.query");
+const keycloak_admin_service_1 = require("../services/keycloak-admin.service");
+const iam_audit_options_1 = require("../iam-audit.options");
+let GetIamGroupsHandler = class GetIamGroupsHandler {
+    keycloakAdmin;
+    options;
+    constructor(keycloakAdmin, options) {
+        this.keycloakAdmin = keycloakAdmin;
+        this.options = options;
+    }
+    async execute(_query) {
+        const [groups, clientUuids] = await Promise.all([
+            this.keycloakAdmin.getGroups(),
+            Promise.all(this.options.clients.map((c) => this.keycloakAdmin.resolveClientUuid(c))),
+        ]);
+        const data = await Promise.all(groups.map(async (group) => {
+            const [members, ...rolesByClient] = await Promise.all([
+                this.keycloakAdmin.getGroupMembers(group.id, 0, 1000),
+                ...clientUuids.map((uuid, i) => this.keycloakAdmin
+                    .getGroupClientRoles(group.id, uuid)
+                    .then((roles) => ({
+                    clientId: this.options.clients[i],
+                    roles: roles.map((r) => r.name),
+                }))),
+            ]);
+            return {
+                id: group.id,
+                name: group.name,
+                path: group.path,
+                memberCount: members.length,
+                clientRoles: rolesByClient,
+            };
+        }));
+        return core_1.Result.success({ data });
+    }
+};
+exports.GetIamGroupsHandler = GetIamGroupsHandler;
+exports.GetIamGroupsHandler = GetIamGroupsHandler = __decorate([
+    (0, cqrs_1.QueryHandler)(get_iam_groups_query_1.GetIamGroupsQuery),
+    __param(1, (0, common_1.Inject)(iam_audit_options_1.IAM_AUDIT_OPTIONS)),
+    __metadata("design:paramtypes", [keycloak_admin_service_1.KeycloakAdminService, Object])
+], GetIamGroupsHandler);

package/dist/queries/get-iam-groups.query.d.ts

@@ -0,0 +1,2 @@
+export declare class GetIamGroupsQuery {
+}

package/dist/queries/get-iam-groups.query.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamGroupsQuery = void 0;
+class GetIamGroupsQuery {
+}
+exports.GetIamGroupsQuery = GetIamGroupsQuery;

package/dist/queries/get-iam-roles.handler.d.ts

@@ -0,0 +1,14 @@
+import { IQueryHandler } from '@nestjs/cqrs';
+import { Result } from '@quanticjs/core';
+import { GetIamRolesQuery } from './get-iam-roles.query';
+import { KeycloakAdminService } from '../services/keycloak-admin.service';
+import { IamAuditModuleOptions } from '../iam-audit.options';
+import { IamClientRolesDto } from '../dtos/iam-audit.dtos';
+export declare class GetIamRolesHandler implements IQueryHandler<GetIamRolesQuery> {
+    private readonly keycloakAdmin;
+    private readonly options;
+    constructor(keycloakAdmin: KeycloakAdminService, options: IamAuditModuleOptions);
+    execute(_query: GetIamRolesQuery): Promise<Result<{
+        data: IamClientRolesDto[];
+    }>>;
+}

package/dist/queries/get-iam-roles.handler.js

@@ -0,0 +1,46 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamRolesHandler = void 0;
+const common_1 = require("@nestjs/common");
+const cqrs_1 = require("@nestjs/cqrs");
+const core_1 = require("@quanticjs/core");
+const get_iam_roles_query_1 = require("./get-iam-roles.query");
+const keycloak_admin_service_1 = require("../services/keycloak-admin.service");
+const iam_audit_options_1 = require("../iam-audit.options");
+let GetIamRolesHandler = class GetIamRolesHandler {
+    keycloakAdmin;
+    options;
+    constructor(keycloakAdmin, options) {
+        this.keycloakAdmin = keycloakAdmin;
+        this.options = options;
+    }
+    async execute(_query) {
+        const clientUuids = await Promise.all(this.options.clients.map((c) => this.keycloakAdmin.resolveClientUuid(c)));
+        const data = await Promise.all(this.options.clients.map(async (clientId, i) => {
+            const roles = await this.keycloakAdmin.getClientRoles(clientUuids[i]);
+            return {
+                clientId,
+                roles: roles.map((r) => ({ name: r.name, description: r.description })),
+            };
+        }));
+        return core_1.Result.success({ data });
+    }
+};
+exports.GetIamRolesHandler = GetIamRolesHandler;
+exports.GetIamRolesHandler = GetIamRolesHandler = __decorate([
+    (0, cqrs_1.QueryHandler)(get_iam_roles_query_1.GetIamRolesQuery),
+    __param(1, (0, common_1.Inject)(iam_audit_options_1.IAM_AUDIT_OPTIONS)),
+    __metadata("design:paramtypes", [keycloak_admin_service_1.KeycloakAdminService, Object])
+], GetIamRolesHandler);

package/dist/queries/get-iam-roles.query.d.ts

@@ -0,0 +1,2 @@
+export declare class GetIamRolesQuery {
+}

package/dist/queries/get-iam-roles.query.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamRolesQuery = void 0;
+class GetIamRolesQuery {
+}
+exports.GetIamRolesQuery = GetIamRolesQuery;

package/dist/queries/get-iam-user-detail.handler.d.ts

@@ -0,0 +1,12 @@
+import { IQueryHandler } from '@nestjs/cqrs';
+import { Result } from '@quanticjs/core';
+import { GetIamUserDetailQuery } from './get-iam-user-detail.query';
+import { KeycloakAdminService } from '../services/keycloak-admin.service';
+import { IamAuditModuleOptions } from '../iam-audit.options';
+import { IamUserDetailDto } from '../dtos/iam-audit.dtos';
+export declare class GetIamUserDetailHandler implements IQueryHandler<GetIamUserDetailQuery> {
+    private readonly keycloakAdmin;
+    private readonly options;
+    constructor(keycloakAdmin: KeycloakAdminService, options: IamAuditModuleOptions);
+    execute(query: GetIamUserDetailQuery): Promise<Result<IamUserDetailDto>>;
+}

package/dist/queries/get-iam-user-detail.handler.js

@@ -0,0 +1,61 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamUserDetailHandler = void 0;
+const common_1 = require("@nestjs/common");
+const cqrs_1 = require("@nestjs/cqrs");
+const core_1 = require("@quanticjs/core");
+const get_iam_user_detail_query_1 = require("./get-iam-user-detail.query");
+const keycloak_admin_service_1 = require("../services/keycloak-admin.service");
+const iam_audit_options_1 = require("../iam-audit.options");
+let GetIamUserDetailHandler = class GetIamUserDetailHandler {
+    keycloakAdmin;
+    options;
+    constructor(keycloakAdmin, options) {
+        this.keycloakAdmin = keycloakAdmin;
+        this.options = options;
+    }
+    async execute(query) {
+        const [user, groups, clientUuids] = await Promise.all([
+            this.keycloakAdmin.getUser(query.userId),
+            this.keycloakAdmin.getUserGroups(query.userId),
+            Promise.all(this.options.clients.map((c) => this.keycloakAdmin.resolveClientUuid(c))),
+        ]);
+        const clientRoles = await Promise.all(this.options.clients.map(async (clientId, i) => {
+            const roles = await this.keycloakAdmin.getUserClientRoles(query.userId, clientUuids[i]);
+            return {
+                clientId,
+                roles: roles.map((r) => ({ name: r.name, description: r.description })),
+            };
+        }));
+        return core_1.Result.success({
+            id: user.id,
+            username: user.username,
+            email: user.email,
+            firstName: user.firstName,
+            lastName: user.lastName,
+            enabled: user.enabled,
+            emailVerified: user.emailVerified,
+            createdTimestamp: user.createdTimestamp,
+            groups: groups.map((g) => ({ id: g.id, name: g.name, path: g.path })),
+            clientRoles,
+        });
+    }
+};
+exports.GetIamUserDetailHandler = GetIamUserDetailHandler;
+exports.GetIamUserDetailHandler = GetIamUserDetailHandler = __decorate([
+    (0, cqrs_1.QueryHandler)(get_iam_user_detail_query_1.GetIamUserDetailQuery),
+    __param(1, (0, common_1.Inject)(iam_audit_options_1.IAM_AUDIT_OPTIONS)),
+    __metadata("design:paramtypes", [keycloak_admin_service_1.KeycloakAdminService, Object])
+], GetIamUserDetailHandler);

package/dist/queries/get-iam-user-detail.query.d.ts

@@ -0,0 +1,4 @@
+export declare class GetIamUserDetailQuery {
+    readonly userId: string;
+    constructor(userId: string);
+}

package/dist/queries/get-iam-user-detail.query.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamUserDetailQuery = void 0;
+class GetIamUserDetailQuery {
+    userId;
+    constructor(userId) {
+        this.userId = userId;
+    }
+}
+exports.GetIamUserDetailQuery = GetIamUserDetailQuery;

package/dist/queries/get-iam-users.handler.d.ts

@@ -0,0 +1,15 @@
+import { IQueryHandler } from '@nestjs/cqrs';
+import { Result } from '@quanticjs/core';
+import { GetIamUsersQuery } from './get-iam-users.query';
+import { KeycloakAdminService } from '../services/keycloak-admin.service';
+import { IamAuditModuleOptions } from '../iam-audit.options';
+import { IamUserSummaryDto } from '../dtos/iam-audit.dtos';
+export declare class GetIamUsersHandler implements IQueryHandler<GetIamUsersQuery> {
+    private readonly keycloakAdmin;
+    private readonly options;
+    constructor(keycloakAdmin: KeycloakAdminService, options: IamAuditModuleOptions);
+    execute(query: GetIamUsersQuery): Promise<Result<{
+        data: IamUserSummaryDto[];
+        total: number;
+    }>>;
+}

package/dist/queries/get-iam-users.handler.js

@@ -0,0 +1,60 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamUsersHandler = void 0;
+const common_1 = require("@nestjs/common");
+const cqrs_1 = require("@nestjs/cqrs");
+const core_1 = require("@quanticjs/core");
+const get_iam_users_query_1 = require("./get-iam-users.query");
+const keycloak_admin_service_1 = require("../services/keycloak-admin.service");
+const iam_audit_options_1 = require("../iam-audit.options");
+let GetIamUsersHandler = class GetIamUsersHandler {
+    keycloakAdmin;
+    options;
+    constructor(keycloakAdmin, options) {
+        this.keycloakAdmin = keycloakAdmin;
+        this.options = options;
+    }
+    async execute(query) {
+        const primaryClient = this.options.primaryClient ?? this.options.clients[0];
+        const primaryUuid = await this.keycloakAdmin.resolveClientUuid(primaryClient);
+        const [users, total] = await Promise.all([
+            this.keycloakAdmin.getUsers(query.search, query.first, query.max),
+            this.keycloakAdmin.getUserCount(query.search),
+        ]);
+        const data = await Promise.all(users.map(async (user) => {
+            const [groups, clientRoles] = await Promise.all([
+                this.keycloakAdmin.getUserGroups(user.id),
+                this.keycloakAdmin.getUserClientRoles(user.id, primaryUuid),
+            ]);
+            return {
+                id: user.id,
+                username: user.username,
+                email: user.email,
+                firstName: user.firstName,
+                lastName: user.lastName,
+                enabled: user.enabled,
+                groups: groups.map((g) => g.name),
+                permissionCount: clientRoles.length,
+            };
+        }));
+        return core_1.Result.success({ data, total });
+    }
+};
+exports.GetIamUsersHandler = GetIamUsersHandler;
+exports.GetIamUsersHandler = GetIamUsersHandler = __decorate([
+    (0, cqrs_1.QueryHandler)(get_iam_users_query_1.GetIamUsersQuery),
+    __param(1, (0, common_1.Inject)(iam_audit_options_1.IAM_AUDIT_OPTIONS)),
+    __metadata("design:paramtypes", [keycloak_admin_service_1.KeycloakAdminService, Object])
+], GetIamUsersHandler);

package/dist/queries/get-iam-users.query.d.ts

@@ -0,0 +1,6 @@
+export declare class GetIamUsersQuery {
+    readonly search?: string | undefined;
+    readonly first: number;
+    readonly max: number;
+    constructor(search?: string | undefined, first?: number, max?: number);
+}

package/dist/queries/get-iam-users.query.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetIamUsersQuery = void 0;
+class GetIamUsersQuery {
+    search;
+    first;
+    max;
+    constructor(search, first = 0, max = 100) {
+        this.search = search;
+        this.first = first;
+        this.max = max;
+    }
+}
+exports.GetIamUsersQuery = GetIamUsersQuery;

package/dist/queries/get-permission-matrix.handler.d.ts

@@ -0,0 +1,12 @@
+import { IQueryHandler } from '@nestjs/cqrs';
+import { Result } from '@quanticjs/core';
+import { GetPermissionMatrixQuery } from './get-permission-matrix.query';
+import { KeycloakAdminService } from '../services/keycloak-admin.service';
+import { IamAuditModuleOptions } from '../iam-audit.options';
+import { IamPermissionMatrixDto } from '../dtos/iam-audit.dtos';
+export declare class GetPermissionMatrixHandler implements IQueryHandler<GetPermissionMatrixQuery> {
+    private readonly keycloakAdmin;
+    private readonly options;
+    constructor(keycloakAdmin: KeycloakAdminService, options: IamAuditModuleOptions);
+    execute(_query: GetPermissionMatrixQuery): Promise<Result<IamPermissionMatrixDto>>;
+}

package/dist/queries/get-permission-matrix.handler.js

@@ -0,0 +1,54 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetPermissionMatrixHandler = void 0;
+const common_1 = require("@nestjs/common");
+const cqrs_1 = require("@nestjs/cqrs");
+const core_1 = require("@quanticjs/core");
+const get_permission_matrix_query_1 = require("./get-permission-matrix.query");
+const keycloak_admin_service_1 = require("../services/keycloak-admin.service");
+const iam_audit_options_1 = require("../iam-audit.options");
+let GetPermissionMatrixHandler = class GetPermissionMatrixHandler {
+    keycloakAdmin;
+    options;
+    constructor(keycloakAdmin, options) {
+        this.keycloakAdmin = keycloakAdmin;
+        this.options = options;
+    }
+    async execute(_query) {
+        const primaryClient = this.options.primaryClient ?? this.options.clients[0];
+        const primaryUuid = await this.keycloakAdmin.resolveClientUuid(primaryClient);
+        const [allUsers, allRoles] = await Promise.all([
+            this.keycloakAdmin.getUsers(undefined, 0, 1000),
+            this.keycloakAdmin.getClientRoles(primaryUuid),
+        ]);
+        const permissions = allRoles.map((r) => r.name);
+        const users = await Promise.all(allUsers.map(async (user) => {
+            const roles = await this.keycloakAdmin.getUserClientRoles(user.id, primaryUuid);
+            return {
+                id: user.id,
+                username: user.username,
+                displayName: [user.firstName, user.lastName].filter(Boolean).join(' ') || user.username,
+                grants: roles.map((r) => r.name),
+            };
+        }));
+        return core_1.Result.success({ permissions, users });
+    }
+};
+exports.GetPermissionMatrixHandler = GetPermissionMatrixHandler;
+exports.GetPermissionMatrixHandler = GetPermissionMatrixHandler = __decorate([
+    (0, cqrs_1.QueryHandler)(get_permission_matrix_query_1.GetPermissionMatrixQuery),
+    __param(1, (0, common_1.Inject)(iam_audit_options_1.IAM_AUDIT_OPTIONS)),
+    __metadata("design:paramtypes", [keycloak_admin_service_1.KeycloakAdminService, Object])
+], GetPermissionMatrixHandler);

package/dist/queries/get-permission-matrix.query.d.ts

@@ -0,0 +1,2 @@
+export declare class GetPermissionMatrixQuery {
+}

package/dist/queries/get-permission-matrix.query.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetPermissionMatrixQuery = void 0;
+class GetPermissionMatrixQuery {
+}
+exports.GetPermissionMatrixQuery = GetPermissionMatrixQuery;

package/dist/services/keycloak-admin.service.d.ts

@@ -0,0 +1,28 @@
+import { ConfigService } from '@nestjs/config';
+import { PinoLogger } from 'nestjs-pino';
+import { KcUser, KcGroup, KcRole, KcAdminEvent } from '../dtos/keycloak-admin.types';
+export declare class KeycloakAdminService {
+    private readonly logger;
+    private readonly adminBaseUrl;
+    private readonly tokenUrl;
+    private readonly clientId;
+    private readonly clientSecret;
+    private serviceToken;
+    private serviceTokenExpiresAt;
+    private readonly clientUuidCache;
+    private readonly breaker;
+    constructor(config: ConfigService, logger: PinoLogger);
+    getUsers(search?: string, first?: number, max?: number): Promise<KcUser[]>;
+    getUserCount(search?: string): Promise<number>;
+    getUser(userId: string): Promise<KcUser>;
+    getUserGroups(userId: string): Promise<KcGroup[]>;
+    getUserClientRoles(userId: string, clientUuid: string): Promise<KcRole[]>;
+    getGroups(): Promise<KcGroup[]>;
+    getGroupMembers(groupId: string, first?: number, max?: number): Promise<KcUser[]>;
+    getGroupClientRoles(groupId: string, clientUuid: string): Promise<KcRole[]>;
+    getClientRoles(clientUuid: string): Promise<KcRole[]>;
+    getAdminEvents(types?: string[], first?: number, max?: number): Promise<KcAdminEvent[]>;
+    resolveClientUuid(clientIdName: string): Promise<string>;
+    private get;
+    private getServiceToken;
+}

package/dist/services/keycloak-admin.service.js

@@ -0,0 +1,144 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakAdminService = void 0;
+const common_1 = require("@nestjs/common");
+const config_1 = require("@nestjs/config");
+const nestjs_pino_1 = require("nestjs-pino");
+const core_1 = require("@quanticjs/core");
+let KeycloakAdminService = class KeycloakAdminService {
+    logger;
+    adminBaseUrl;
+    tokenUrl;
+    clientId;
+    clientSecret;
+    serviceToken = null;
+    serviceTokenExpiresAt = 0;
+    clientUuidCache = new Map();
+    breaker = (0, core_1.createCircuitBreaker)({
+        maxRetries: 2,
+        consecutiveFailures: 5,
+        halfOpenAfterMs: 30_000,
+    });
+    constructor(config, logger) {
+        this.logger = logger;
+        const keycloakBase = config.get('KEYCLOAK_INTERNAL_URL') ?? config.get('KEYCLOAK_URL', 'http://localhost:8081');
+        const realm = config.get('KEYCLOAK_REALM', 'masaar');
+        this.adminBaseUrl = `${keycloakBase}/admin/realms/${realm}`;
+        this.tokenUrl = `${keycloakBase}/realms/${realm}/protocol/openid-connect/token`;
+        this.clientId = config.get('KEYCLOAK_CLIENT_ID', 'delivery-hub-backend');
+        this.clientSecret = config.get('KEYCLOAK_CLIENT_SECRET', 'change-me');
+    }
+    async getUsers(search, first = 0, max = 100) {
+        const params = new URLSearchParams({ first: String(first), max: String(max) });
+        if (search)
+            params.set('search', search);
+        return this.get(`/users?${params}`);
+    }
+    async getUserCount(search) {
+        const params = new URLSearchParams();
+        if (search)
+            params.set('search', search);
+        return this.get(`/users/count?${params}`);
+    }
+    async getUser(userId) {
+        return this.get(`/users/${userId}`);
+    }
+    async getUserGroups(userId) {
+        return this.get(`/users/${userId}/groups`);
+    }
+    async getUserClientRoles(userId, clientUuid) {
+        return this.get(`/users/${userId}/role-mappings/clients/${clientUuid}`);
+    }
+    async getGroups() {
+        return this.get('/groups');
+    }
+    async getGroupMembers(groupId, first = 0, max = 100) {
+        const params = new URLSearchParams({ first: String(first), max: String(max) });
+        return this.get(`/groups/${groupId}/members?${params}`);
+    }
+    async getGroupClientRoles(groupId, clientUuid) {
+        return this.get(`/groups/${groupId}/role-mappings/clients/${clientUuid}`);
+    }
+    async getClientRoles(clientUuid) {
+        return this.get(`/clients/${clientUuid}/roles`);
+    }
+    async getAdminEvents(types, first = 0, max = 50) {
+        const params = new URLSearchParams({ first: String(first), max: String(max) });
+        if (types) {
+            for (const t of types)
+                params.append('operationTypes', t);
+        }
+        return this.get(`/admin-events?${params}`);
+    }
+    async resolveClientUuid(clientIdName) {
+        const cached = this.clientUuidCache.get(clientIdName);
+        if (cached)
+            return cached;
+        const clients = await this.get(`/clients?clientId=${encodeURIComponent(clientIdName)}`);
+        if (!clients.length) {
+            throw new Error(`Keycloak client not found: ${clientIdName}`);
+        }
+        const uuid = clients[0].id;
+        this.clientUuidCache.set(clientIdName, uuid);
+        return uuid;
+    }
+    async get(path) {
+        return this.breaker.execute(async () => {
+            const token = await this.getServiceToken();
+            const url = `${this.adminBaseUrl}${path}`;
+            const res = await fetch(url, {
+                method: 'GET',
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    Accept: 'application/json',
+                },
+            });
+            if (!res.ok) {
+                this.logger.error({ path, status: res.status }, 'Keycloak Admin API request failed');
+                throw new Error(`Keycloak Admin ${path}: ${res.status}`);
+            }
+            return res.json();
+        });
+    }
+    async getServiceToken() {
+        if (this.serviceToken && Date.now() < this.serviceTokenExpiresAt) {
+            return this.serviceToken;
+        }
+        const res = await fetch(this.tokenUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                grant_type: 'client_credentials',
+                client_id: this.clientId,
+                client_secret: this.clientSecret,
+            }).toString(),
+        });
+        if (!res.ok) {
+            this.logger.error({ status: res.status }, 'Failed to obtain Keycloak service token');
+            throw new Error(`Keycloak token request failed: ${res.status}`);
+        }
+        const data = (await res.json());
+        this.serviceToken = data.access_token;
+        this.serviceTokenExpiresAt = Date.now() + (data.expires_in - 30) * 1000;
+        return this.serviceToken;
+    }
+};
+exports.KeycloakAdminService = KeycloakAdminService;
+exports.KeycloakAdminService = KeycloakAdminService = __decorate([
+    (0, common_1.Injectable)(),
+    __param(1, (0, nestjs_pino_1.InjectPinoLogger)(KeycloakAdminService.name)),
+    __metadata("design:paramtypes", [config_1.ConfigService,
+        nestjs_pino_1.PinoLogger])
+], KeycloakAdminService);

package/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "@quanticjs/iam-audit",
+  "version": "5.10.1",
+  "description": "Config-driven IAM audit module — Keycloak Admin REST API dashboard backend for 'who has access to what'",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "license": "MIT",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "jest --passWithNoTests",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@quanticjs/core": "^5.10.1"
+  },
+  "peerDependencies": {
+    "@nestjs/common": "^11.0.0",
+    "@nestjs/core": "^11.0.0",
+    "@nestjs/cqrs": "^11.0.0",
+    "@nestjs/config": "^3.0.0 || ^4.0.0",
+    "nestjs-pino": "^4.0.0"
+  }
+}