search

adorsys / keycloak-config-cli

Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
Apache License 2.0
703 stars 132 forks source link

Group management fails with case sensitivity #1019

Open col-panic opened 1 month ago

col-panic commented 1 month ago

Current Behavior

I have a realm in json format, where multiple groups are defined, such as 

"groups": [
    {
      "name": "GroupArzt",
      "path": "/GroupArzt"
    },
    {
      "name": "GroupAssistent",
      "path": "/GroupAssistent"
    },
    {
      "name": "GroupMPA",
      "path": "/GroupMPA"
    },
    {
      "name": "GroupMPK",
      "path": "/GroupMPK"
    },
    {
      "name": "GroupPraktikant",
      "path": "/GroupPraktikant"
    },
    {
      "name": "GroupIntern",
      "path": "/GroupIntern"
    },
    {
      "name": "GroupThirdParty",
      "path": "/GroupThirdParty"
    }
  ]

On executing like

java -jar $KC_CONFIG_CLI_JAR \
    --keycloak.url=http://keycloak:8080/keycloak/auth \
    --keycloak.ssl-verify=false \
    --keycloak.user=KeycloakAdmin \
    --keycloak.password=${ADMIN_PASSWORD} \
    --import.validate=true \
    --import.var-substitution.enabled=true \
    --import.files.locations=$RESULT_FILE

I started to receive messages like 

2024-05-15 08:52:27.015 ERROR 157 --- [           main] d.a.k.config.KeycloakConfigRunner        : Create method returned status Conflict (Code: 409); expected status: Created (201)

with the respective keycloak message

keycloak-1  | 2024-05-15 08:54:43,415 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (executor-thread-4) SQL Error: 1062, SQLState: 23000
keycloak-1  | 2024-05-15 08:54:43,415 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (executor-thread-4) Duplicate entry '8379d9e8-3a17-49f4-93a5-4e6235ab0f1a- -GroupMPA' for key 'SIBLING_NAMES'

The database entry is

my:eemaster_keycloak@192/eemaster_keycloak=> select * from KEYCLOAK_GROUP;
                  ID                  |      NAME       | PARENT_GROUP |               REALM_ID               
--------------------------------------+-----------------+--------------+--------------------------------------
 8b5e5de8-a142-4e8c-bed5-539bb5e67bde | GroupArzt       |              | 8379d9e8-3a17-49f4-93a5-4e6235ab0f1a 
 41dd284d-c730-434b-bb9a-c475f94564fb | GroupAssistent  |              | 8379d9e8-3a17-49f4-93a5-4e6235ab0f1a 
 efded937-212b-4c6b-acbb-51f902ebcb54 | GroupIntern     |              | 8379d9e8-3a17-49f4-93a5-4e6235ab0f1a 
 638b5fa8-d69e-46cc-bee8-ea6448c7e41c | GroupMpa        |              | 8379d9e8-3a17-49f4-93a5-4e6235ab0f1a 
 bb242305-8878-4430-88f5-fd22a19c0648 | GroupMpk        |              | 8379d9e8-3a17-49f4-93a5-4e6235ab0f1a 
 4ff4c67c-cf74-46f9-8cc0-2746ee6974d7 | GroupPraktikant |              | 8379d9e8-3a17-49f4-93a5-4e6235ab0f1a 
 d272d980-98b2-464a-92ae-ca486448e286 | GroupThirdParty |              | 8379d9e8-3a17-49f4-93a5-4e6235ab0f1a 
(7 rows)

Expected Behavior

There should not be an ERROR happening.

Steps To Reproduce

See above

Environment

Anything else?

No response

col-panic commented 1 month ago

In the test examples https://github.com/adorsys/keycloak-config-cli/blob/main/src/test/resources/import-files/groups/01_update_realm_add_group.json no path attribute was used. Thus I removed the path values, yet the error stays the same.

col-panic commented 1 month ago

--import.managed.group=full also does not solve the problem

col-panic commented 1 month ago

Debug info shows, that for some reason, GroupImportService fails to correctly find the existing group, and tries to add it again?

ee-config-1  | Caused by: jakarta.ws.rs.WebApplicationException: Create method returned status Conflict (Code: 409); expected status: Created (201)
ee-config-1  |  at org.keycloak.admin.client.CreatedResponseUtil.getCreatedId(CreatedResponseUtil.java:43)
ee-config-1  |  at de.adorsys.keycloak.config.repository.GroupRepository.createGroup(GroupRepository.java:102)
ee-config-1  |  at de.adorsys.keycloak.config.service.GroupImportService.createGroup(GroupImportService.java:144)
ee-config-1  |  at de.adorsys.keycloak.config.service.GroupImportService.createOrUpdateRealmGroup(GroupImportService.java:139)
ee-config-1  |  at de.adorsys.keycloak.config.service.GroupImportService.lambda$createOrUpdateGroups$0(GroupImportService.java:77)
ee-config-1  |  at java.base/java.util.ArrayList.forEach(Unknown Source)
ee-config-1  |  at de.adorsys.keycloak.config.service.GroupImportService.createOrUpdateGroups(GroupImportService.java:81)
ee-config-1  |  at de.adorsys.keycloak.config.service.GroupImportService.importGroups(GroupImportService.java:69)
ee-config-1  |  at de.adorsys.keycloak.config.service.RealmImportService.configureRealm(RealmImportService.java:203)
ee-config-1  |  at de.adorsys.keycloak.config.service.RealmImportService.updateRealm(RealmImportService.java:195)
ee-config-1  |  at de.adorsys.keycloak.config.service.RealmImportService.updateRealmIfNecessary(RealmImportService.java:153)
ee-config-1  |  at de.adorsys.keycloak.config.service.RealmImportService.doImport(RealmImportService.java:144)
ee-config-1  |  at de.adorsys.keycloak.config.KeycloakConfigRunner.run(KeycloakConfigRunner.java:79)
ee-config-1  |  at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:768)
ee-config-1  |  ... 13 common frames omitted
ee-config-1  |
col-panic commented 1 month ago

I manually renamed the group entries GroupMpa -> GroupMPA and GroupMpk to GroupMPK in the database. After this the problem does NOT occur anymore.

It seems that while the code is case sensitive in finding the group, the database is case-insensitive in accepting group names!