strapi-plugin-keycloak-realm-users 1.0.0

package/server/src/controllers/audit.js

@@ -0,0 +1,144 @@
+import { PLUGIN_ID, SERVICES, ERROR_MESSAGES } from '../constants.js';
+
+const auditController = ({ strapi }) => ({
+  /**
+   * Find audit logs with filters
+   */
+  async find(ctx) {
+    const user = ctx.state.user;
+    const { realmName, action, limit = 50, offset = 0 } = ctx.query;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      // Non-super admins can only see logs for their accessible realms
+      if (!permissionService.isSuperAdmin(user)) {
+        const accessibleRealms = await permissionService.getAccessibleRealms(user);
+        const accessibleRealmNames = accessibleRealms.map((r) => r.name);
+
+        // If filtering by realm, verify access
+        if (realmName && !accessibleRealmNames.includes(realmName)) {
+          return ctx.forbidden(ERROR_MESSAGES.REALM_ACCESS_DENIED);
+        }
+
+        // If no realm filter, only return logs for accessible realms
+        const auditLogService = strapi.plugin(PLUGIN_ID).service(SERVICES.AUDIT_LOG);
+
+        if (!realmName) {
+          // Fetch logs for all accessible realms
+          const allLogs = [];
+          for (const rn of accessibleRealmNames) {
+            const { entries } = await auditLogService.find({
+              realmName: rn,
+              action,
+              limit: parseInt(limit, 10),
+              offset: parseInt(offset, 10),
+            });
+            allLogs.push(...entries);
+          }
+
+          // Sort by createdAt desc and apply limit
+          allLogs.sort((a, b) => new Date(b.createdAt) - new Date(a.createdAt));
+          ctx.body = { data: allLogs.slice(0, parseInt(limit, 10)) };
+          return;
+        }
+      }
+
+      const auditLogService = strapi.plugin(PLUGIN_ID).service(SERVICES.AUDIT_LOG);
+      const result = await auditLogService.find({
+        realmName,
+        action,
+        limit: parseInt(limit, 10),
+        offset: parseInt(offset, 10),
+      });
+
+      ctx.body = { data: result.entries, meta: { total: result.total } };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] audit.find error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Find audit logs by realm
+   */
+  async findByRealm(ctx) {
+    const user = ctx.state.user;
+    const { realmId } = ctx.params;
+    const { limit = 50, offset = 0 } = ctx.query;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+      const realmService = strapi.plugin(PLUGIN_ID).service(SERVICES.REALM);
+
+      const canAccess = await permissionService.canAccessRealm(user, realmId, 'canRead');
+
+      if (!canAccess) {
+        return ctx.forbidden(ERROR_MESSAGES.REALM_ACCESS_DENIED);
+      }
+
+      const realm = await realmService.findOne(realmId);
+      const auditLogService = strapi.plugin(PLUGIN_ID).service(SERVICES.AUDIT_LOG);
+      const result = await auditLogService.findByRealm(realm.name, {
+        limit: parseInt(limit, 10),
+        offset: parseInt(offset, 10),
+      });
+
+      ctx.body = { data: result.entries, meta: { total: result.total } };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] audit.findByRealm error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Find audit logs by Keycloak user
+   */
+  async findByUser(ctx) {
+    const user = ctx.state.user;
+    const { keycloakUserId } = ctx.params;
+    const { limit = 50, offset = 0 } = ctx.query;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const auditLogService = strapi.plugin(PLUGIN_ID).service(SERVICES.AUDIT_LOG);
+      const result = await auditLogService.findByKeycloakUser(keycloakUserId, {
+        limit: parseInt(limit, 10),
+        offset: parseInt(offset, 10),
+      });
+
+      // Filter by accessible realms for non-super admins
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        const accessibleRealms = await permissionService.getAccessibleRealms(user);
+        const accessibleRealmNames = accessibleRealms.map((r) => r.name);
+
+        const filteredEntries = result.entries.filter((e) =>
+          accessibleRealmNames.includes(e.realmName)
+        );
+
+        ctx.body = { data: filteredEntries, meta: { total: filteredEntries.length } };
+        return;
+      }
+
+      ctx.body = { data: result.entries, meta: { total: result.total } };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] audit.findByUser error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+});
+
+export default auditController;

package/server/src/controllers/index.js

@@ -0,0 +1,9 @@
+import realm from './realm.js';
+import user from './user.js';
+import audit from './audit.js';
+
+export default {
+  realm,
+  user,
+  audit,
+};

package/server/src/controllers/realm.js

@@ -0,0 +1,324 @@
+import { PLUGIN_ID, SERVICES, ERROR_MESSAGES } from '../constants.js';
+
+const realmController = ({ strapi }) => ({
+  /**
+   * Get all realms (filtered by user access)
+   */
+  async find(ctx) {
+    const user = ctx.state.user;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+      const realms = await permissionService.getAccessibleRealms(user);
+      ctx.body = { data: realms };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.find error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Get a single realm by ID
+   */
+  async findOne(ctx) {
+    const user = ctx.state.user;
+    const { id } = ctx.params;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+      const realmService = strapi.plugin(PLUGIN_ID).service(SERVICES.REALM);
+
+      const canAccess = await permissionService.canAccessRealm(user, id, 'canRead');
+
+      if (!canAccess) {
+        return ctx.forbidden(ERROR_MESSAGES.REALM_ACCESS_DENIED);
+      }
+
+      const realm = await realmService.findOne(id);
+      const permissions = await permissionService.getRealmPermissions(user, id);
+
+      ctx.body = { data: { ...realm, permissions } };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.findOne error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Create a new realm (super admin only)
+   */
+  async create(ctx) {
+    const user = ctx.state.user;
+    const { data } = ctx.request.body;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        return ctx.forbidden('Only super admins can create realm configurations.');
+      }
+
+      const realmService = strapi.plugin(PLUGIN_ID).service(SERVICES.REALM);
+      const realm = await realmService.create(data);
+
+      ctx.body = { data: realm };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.create error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Update a realm (super admin only)
+   */
+  async update(ctx) {
+    const user = ctx.state.user;
+    const { id } = ctx.params;
+    const { data } = ctx.request.body;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        return ctx.forbidden('Only super admins can update realm configurations.');
+      }
+
+      const realmService = strapi.plugin(PLUGIN_ID).service(SERVICES.REALM);
+      const realm = await realmService.update(id, data);
+
+      ctx.body = { data: realm };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.update error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Delete a realm (super admin only)
+   */
+  async delete(ctx) {
+    const user = ctx.state.user;
+    const { id } = ctx.params;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        return ctx.forbidden('Only super admins can delete realm configurations.');
+      }
+
+      const realmService = strapi.plugin(PLUGIN_ID).service(SERVICES.REALM);
+      await realmService.delete(id);
+
+      ctx.body = { data: { success: true } };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.delete error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Test realm connection
+   */
+  async testConnection(ctx) {
+    const user = ctx.state.user;
+    const { id } = ctx.params;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+      const realmService = strapi.plugin(PLUGIN_ID).service(SERVICES.REALM);
+
+      const canAccess = await permissionService.canAccessRealm(user, id, 'canRead');
+
+      if (!canAccess) {
+        return ctx.forbidden(ERROR_MESSAGES.REALM_ACCESS_DENIED);
+      }
+
+      const result = await realmService.testConnection(id);
+      ctx.body = { data: result };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.testConnection error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Test connection before saving (with raw config)
+   */
+  async testConnectionRaw(ctx) {
+    const user = ctx.state.user;
+    const { data } = ctx.request.body;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        return ctx.forbidden('Only super admins can test realm configurations.');
+      }
+
+      const realmService = strapi.plugin(PLUGIN_ID).service(SERVICES.REALM);
+      const result = await realmService.testConnectionRaw(data);
+
+      ctx.body = { data: result };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.testConnectionRaw error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Get admins assigned to a realm
+   */
+  async getAdmins(ctx) {
+    const user = ctx.state.user;
+    const { id } = ctx.params;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        return ctx.forbidden('Only super admins can view realm admin assignments.');
+      }
+
+      const admins = await permissionService.getRealmAdmins(id);
+      ctx.body = { data: admins };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.getAdmins error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Assign an admin to a realm
+   */
+  async addAdmin(ctx) {
+    const user = ctx.state.user;
+    const { id } = ctx.params;
+    const { data } = ctx.request.body;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        return ctx.forbidden('Only super admins can assign realm admins.');
+      }
+
+      const { strapiUserId, strapiUserEmail, permissions } = data;
+
+      if (!strapiUserId) {
+        return ctx.badRequest('strapiUserId is required.');
+      }
+
+      const assignment = await permissionService.assignUserToRealm(
+        strapiUserId,
+        strapiUserEmail,
+        id,
+        permissions
+      );
+
+      ctx.body = { data: assignment };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.addAdmin error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Update admin permissions for a realm
+   */
+  async updateAdmin(ctx) {
+    const user = ctx.state.user;
+    const { id, adminId } = ctx.params;
+    const { data } = ctx.request.body;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        return ctx.forbidden('Only super admins can update realm admin assignments.');
+      }
+
+      const { permissions } = data;
+
+      const assignment = await permissionService.assignUserToRealm(
+        parseInt(adminId, 10),
+        null,
+        id,
+        permissions
+      );
+
+      ctx.body = { data: assignment };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.updateAdmin error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+
+  /**
+   * Remove an admin from a realm
+   */
+  async removeAdmin(ctx) {
+    const user = ctx.state.user;
+    const { id, adminId } = ctx.params;
+
+    if (!user) {
+      return ctx.unauthorized(ERROR_MESSAGES.INSUFFICIENT_PERMISSIONS);
+    }
+
+    try {
+      const permissionService = strapi.plugin(PLUGIN_ID).service(SERVICES.PERMISSION);
+
+      if (!permissionService.isSuperAdmin(user)) {
+        return ctx.forbidden('Only super admins can remove realm admins.');
+      }
+
+      await permissionService.removeUserFromRealm(parseInt(adminId, 10), id);
+      ctx.body = { data: { success: true } };
+    } catch (err) {
+      strapi.log.error(`[${PLUGIN_ID}] realm.removeAdmin error:`, err);
+      ctx.throw(400, err.sanitizedMessage || ERROR_MESSAGES.UNKNOWN_ERROR);
+    }
+  },
+});
+
+export default realmController;