Implement KeycloakAttributeSyncScheduler and bidirectional user synchronization with protocol mapper support and UI-driven custom attribute mapping access control (#36)

* Initial plan

* Fully implement KeycloakAttributeSyncScheduler and user synchronization

- Implemented full sync of all users from Keycloak with pagination support
- Implemented sync of specific user from Keycloak
- Added attribute filtering to exclude internal Keycloak attributes
- Enhanced KeycloakService with methods for listing users, getting users, creating users, and updating attributes
- Modified UserService to sync attributes from Keycloak when new users are created
- Added method to create users in Keycloak when they are created in Sentrius
- Added comprehensive tests for KeycloakAttributeSyncScheduler
- Added comprehensive tests for KeycloakService
- All tests passing

Co-authored-by: phrocker <[email protected]>

* update

* Add password support for Keycloak user creation in UserApiController

- Enhanced KeycloakService.createUser() with password parameter support
- Added setUserPassword() method to set/reset user passwords in Keycloak
- Updated UserApiController.addUser() to create users in Keycloak with passwords
- Users created through UI now automatically get created in Keycloak with their password
- Password is not temporary, allowing immediate login
- Added 4 new tests for password functionality
- All 17 tests passing in KeycloakServiceTest

Co-authored-by: phrocker <[email protected]>

* uipdate

* Fix attribute handling for Keycloak 22+ user profile compatibility

- Modified createUser() to set attributes AFTER user creation (Keycloak 22+ best practice)
- Attributes are no longer set directly during UserRepresentation.create()
- Instead, attributes are set via updateUserAttributes() after user creation
- This ensures compatibility with Keycloak 22+ User Profile validation
- Enhanced updateUserAttributes() with better error handling and logging
- Updated test to reflect new attribute handling behavior
- All 17 tests passing

Co-authored-by: phrocker <[email protected]>

* Remove attribute writing to Keycloak - attributes must be managed in User Profile

- Removed automatic attribute setting during user creation
- Added deprecation warning to updateUserAttributes() method
- Clarified that custom attributes must be defined in Keycloak User Profile (Admin Console)
- Attributes are READ-ONLY from Sentrius perspective - managed in Keycloak, synced to Sentrius
- Enhanced documentation explaining Keycloak 22+ User Profile workflow
- Updated test to verify attributes are NOT set during user creation
- All 17 tests passing

For Keycloak 22+ User Profile:
1. Define attributes in Keycloak Admin Console > Realm Settings > User Profile
2. Fill in attribute values for users through Keycloak UI
3. Sentrius sync scheduler reads attributes from Keycloak
4. Attributes are stored in Sentrius ABAC system for policy evaluation

Co-authored-by: phrocker <[email protected]>

* Enable bidirectional attribute sync with protocol mappers

- Re-enabled attribute writing to Keycloak (reverted read-only approach)
- Added protocol mappers for common ABAC attributes to realm template:
  - department, team_role, clearance_level, location, cost_center, project
- Protocol mappers ensure attributes appear in OIDC tokens
- Updated KeycloakService to set attributes after user creation
- Added syncUserAttributesToKeycloak() method in AttributeManagementService
- Attributes set in Sentrius can now be synced to Keycloak
- Bidirectional sync: Sentrius ↔ Keycloak
- Updated tests to match new behavior
- All tests passing (17 KeycloakService tests, full test suite)

Co-authored-by: phrocker <[email protected]>

* Fix updates

* update

* Fix custom attribute check to pass endpoint parameter

- Fixed checkCustomAttribute() call in AccessControlAspect to include endpoint parameter
- This enables ABAC PolicyEvaluator to properly evaluate custom attributes from database
- Custom attributes defined via ABAC page can now be evaluated within the aspect
- All custom attribute checks now work correctly with both PolicyEvaluator and UserAttributeService

Co-authored-by: phrocker <[email protected]>

* Add database endpoint attribute checking to AccessControlAspect

- Added AttributeAssignmentRepository injection to AccessControlAspect
- Implemented checkDatabaseEndpointAttributes() method to check attributes from database
- Retrieves attributes assigned to endpoints via ABAC page (TargetType.ENDPOINT)
- Validates that users have required attribute values for the endpoint
- Integrates with existing checkCustomAttribute() for consistency
- Now checks BOTH annotation-defined AND database-defined custom attributes
- Attributes defined via ABAC page are now properly evaluated for access control

Co-authored-by: phrocker <[email protected]>

* Fix database endpoint attribute checking to use ABAC policies

- Replaced AttributeAssignment lookup with PolicyEvaluator
- Now properly uses AccessPolicy and PolicyRule to determine endpoint requirements
- PolicyEvaluator evaluates user attributes against policy rules
- Supports complex policy logic (AND/OR combinations, various operators)
- Correctly implements the ABAC workflow:
  1. Attribute Definitions - define available attributes
  2. User Assignments - assign attribute values to users
  3. Access Mappings (Policies) - define rules for endpoint access
- Removed AttributeAssignmentRepository injection (not needed)
- Access Mappings from ABAC page now properly enforced

Co-authored-by: phrocker <[email protected]>

* Fix database endpoint attribute checking to use CustomAttributeMapping

- Replaced PolicyEvaluator with CustomAttributeMappingService
- Now properly queries custom_attribute_mappings table from UI
- CustomAttributeMapping stores endpoint requirements (e.g., /api/v1/chat/** requires department=engineering)
- Integrates with existing checkCustomAttribute() method for validation
- Properly implements UI-driven access control workflow:
  1. Admin creates mapping via CustomAttributeMappingController
  2. Mapping stored in custom_attribute_mappings table
  3. AccessControlAspect retrieves and enforces mappings
- Custom mappings defined via ABAC UI are now properly enforced

Co-authored-by: phrocker <[email protected]>

* Fix custom attribute checking to verify user actually has required attributes

- Fixed checkCustomAttribute() to properly check if user has the required attribute value
- Previously was incorrectly adding the required value to user's context, making all checks pass
- Now correctly:
  1. Builds context which loads user's AttributeAssignments from database
  2. Checks if user's attribute value matches the required value
  3. Returns true only if user actually has the attribute with the required value
- Fixed test file compilation errors (duplicate class definitions)
- Addresses issue where mappings like "clearance_level=low" were found but not validated against user's actual attributes
- All tests passing

Co-authored-by: phrocker <[email protected]>

* commit

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: phrocker <[email protected]>
Co-authored-by: Marc Parisi <[email protected]>

Author: Copilot

api/src/main/java/io/sentrius/sso/controllers/api/abac/AttributeManagementController.java

@@ -89,7 +89,7 @@ public ResponseEntity<AttributeAssignmentDTO> createUserAttribute(@RequestBody A
         if (dto.isSyncToKeycloak() && dto.getTargetType().equals("USER")) {
             Map<String, String> attrs = new HashMap<>();
             attrs.put(dto.getAttributeName(), dto.getAttributeValue());
-            attributeManagementService.syncUserAttributesFromKeycloak(dto.getTargetId(), attrs);
+            //attributeManagementService.syncUserAttributesToKeycloak(dto.getTargetId(), attrs);
         }
 
         return ResponseEntity.ok(toAssignmentDTO(assignment));
@@ -244,6 +244,7 @@ private AttributeAssignmentDTO toAssignmentDTO(AttributeAssignment assignment) {
         dto.setTargetId(assignment.getTargetId());
         dto.setAttributeName(assignment.getAttributeDefinition().getAttributeName());
         dto.setAttributeValue(assignment.getAttributeValue());
+        dto.setSource(assignment.getSource().name());
         if (assignment.getValidFrom() != null) {
             dto.setValidFrom(LocalDateTime.ofInstant(assignment.getValidFrom(), ZoneOffset.UTC));
         }

api/src/main/java/io/sentrius/sso/controllers/api/users/UserApiController.java

@@ -38,6 +38,7 @@
 import io.sentrius.sso.core.services.agents.AgentService;
 import io.sentrius.sso.core.services.agents.ZeroTrustClientService;
 import io.sentrius.sso.core.services.security.CryptoService;
+import io.sentrius.sso.core.services.security.KeycloakService;
 import io.sentrius.sso.core.services.security.ZeroTrustAccessTokenService;
 import io.sentrius.sso.core.services.security.ZeroTrustRequestService;
 import io.sentrius.sso.core.services.users.UserAttributeService;
@@ -76,6 +77,7 @@ public class UserApiController extends BaseController {
     final ZeroTrustAccessTokenService ztatService;
     final AgentService agentService;
     final ZeroTrustClientService zeroTrustClientService;
+    final KeycloakService keycloakService;
 
 
     @Value("${agentproxy.externalUrl:}")
@@ -100,7 +102,7 @@ protected UserApiController(
         SessionService sessionService,
         ZeroTrustRequestService ztatRequestService,
         ZeroTrustAccessTokenService ztatService, AgentService agentService,
-        ZeroTrustClientService zeroTrustClientService
+        ZeroTrustClientService zeroTrustClientService, KeycloakService keycloakService
     ) {
         super(userService, systemOptions, errorOutputService);
         this.hostGroupService =     hostGroupService;
@@ -113,6 +115,7 @@ protected UserApiController(
         this.ztatService = ztatService;
         this.agentService = agentService;
         this.zeroTrustClientService = zeroTrustClientService;
+        this.keycloakService = keycloakService;
     }
 
     @GetMapping("list")
@@ -171,13 +174,48 @@ public ResponseEntity<ObjectNode> addUser(HttpServletRequest request, HttpServle
         ObjectNode node = JsonUtil.MAPPER.createObjectNode();
 
         try {
-            user.setPassword(userService.encodePassword( user.getPassword()));
-            // Save user using service
-            userService.addUscer(user);
-            node.put("status","User successfully added.");
+            // Store the original password before encoding
+            String originalPassword = user.getPassword();
+            
+            // Encode password for Sentrius database
+            user.setPassword(userService.encodePassword(user.getPassword()));
+            
+            // Save user in Sentrius
+            user = userService.addUscer(user);
+
+            // Create user in Keycloak with the original password
+            // Keycloak will hash the password itself
+            String[] nameParts = user.getName() != null ? user.getName().split(" ", 2) : new String[]{user.getUsername(), ""};
+            String firstName = nameParts[0];
+            String lastName = nameParts.length > 1 ? nameParts[1] : "";
+            
+            String keycloakUserId = keycloakService.createUser(
+                user.getUsername(), 
+                user.getEmailAddress(), 
+                firstName, 
+                lastName, 
+                null,  // No custom attributes initially
+                originalPassword,  // Use original password (not encoded)
+                false  // Not temporary - user can use this password
+            );
+            
+            if (keycloakUserId != null) {
+                // Update the user with the Keycloak ID if not already set
+                if (user.getUserId() == null || user.getUserId().isEmpty()) {
+                    user.setUserId(keycloakUserId);
+                    userService.save(user);
+                }
+                node.put("status", "User successfully added to Sentrius and Keycloak.");
+                log.info("User {} created in both Sentrius and Keycloak with ID {}", user.getUsername(), keycloakUserId);
+            } else {
+                node.put("status", "User added to Sentrius but failed to create in Keycloak. User may not be able to log in.");
+                log.warn("User {} created in Sentrius but failed to create in Keycloak", user.getUsername());
+            }
+            
             return ResponseEntity.ok(node);
         } catch (Exception e) {
-            node.put("status","Error adding user");
+            log.error("Error adding user", e);
+            node.put("status", "Error adding user: " + e.getMessage());
             return ResponseEntity.internalServerError().body(node);
         }
     }
@@ -231,6 +269,7 @@ public String deleteUser(@RequestParam("userId") String userId, @RequestParam(re
                 return "redirect:/sso/v1/users/list?message=" + MessagingUtil.getMessageId(MessagingUtil.UNEXPECTED_ERROR);
 
             }
+            keycloakService.deleteUser(usr.getUsername());
             userService.deleteUser(usr.getId());
         } else {
             Long id = Long.parseLong(cryptoService.decrypt(userId));
@@ -239,7 +278,10 @@ public String deleteUser(@RequestParam("userId") String userId, @RequestParam(re
                 return "redirect:/sso/v1/users/list?message=" +
                     MessagingUtil.getMessageId(MessagingUtil.UNEXPECTED_ERROR);
             }
+            var user = userService.getUserById(id);
+            keycloakService.deleteUser(user.getUsername());
             userService.deleteUser(id);
+
         }
         return "redirect:/sso/v1/users/list?message=" + MessagingUtil.getMessageId(MessagingUtil.USER_DELETE_SUCCESS);
     }

api/src/main/java/io/sentrius/sso/controllers/view/UserController.java

@@ -79,7 +79,6 @@ public UserSettings getUserSettingsAttribute(HttpServletRequest request, HttpSer
     @ModelAttribute("typeList")
     public List<UserTypeDTO> getUserTypeList() {
         var types = userService.getUserTypeList();
-        log.info("UserTypeList: {}", types);
         return types;
     }
 

api/src/main/resources/static/js/add_user.js

@@ -35,7 +35,7 @@ document.addEventListener('DOMContentLoaded', function () {
                 .catch((error) => {
                     $("#alertTop").hide();
                     $("#alertTopError").text("User Not Added").show().delay(3000).fadeOut();
-cd                });
+               });
         });
     }
 });

api/src/main/resources/templates/fragments/add_user.html

@@ -26,7 +26,12 @@ <h5 class="modal-title" id="userFormModalLabel">Add User</h5>
                     </div>
                     <div class="mb-3">
                         <label for="emailAddress" class="form-label">E-mail Address</label>
-                        <input type="text" class="form-control" th:field="*{emailAddress}" required>
+                        <input type="email"
+                               class="form-control"
+                               th:field="*{emailAddress}"
+                               placeholder="[email protected]"
+                               required
+                               pattern="^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$">
                     </div>
                     <div class="mb-3">
                         <label for="password" class="form-label">Password</label>

api/src/main/resources/templates/fragments/sidebar.html

@@ -19,11 +19,6 @@
                     <i class="fas fa-server"></i> <span class="ms-1 d-none d-sm-inline">SSH Servers</span>
                 </a>
             </li>-->
-            <li th:if="${#sets.contains(operatingUser.authorizationType.accessSet, 'CAN_VIEW_USERS')}">
-                <a href="/sso/v1/users/list" class="nav-link px-0 align-middle">
-                    <i class="fas fa-users"></i> <span class="ms-1 d-none d-sm-inline">Users</span>
-                </a>
-            </li>
             <li th:if="${#sets.contains(operatingUser.authorizationType.accessSet, 'CAN_MANAGE_APPLICATION')}">
                 <a href="/sso/v1/system/settings" class="nav-link px-0 align-middle">
                     <i class="fas fa-cog"></i> <span class="ms-1 d-none d-sm-inline">Settings</span>

api/src/main/resources/templates/sso/attributes_unified.html

@@ -714,7 +714,7 @@ <h5 style="color: #28a745; margin-bottom: 15px;">📋 How to Use ABAC - Step by
                                         <select id="filterSource" onchange="filterAttributesTable()">
                                             <option value="">All Sources</option>
                                             <option value="keycloak">Keycloak</option>
-                                            <option value="local">Local</option>
+                                            <option value="sentrius">Sentrius</option>
                                         </select>
                                     </div>
                                     <div class="filter-item">
@@ -1229,7 +1229,7 @@ <h2 class="modal-title" id="mappingModalTitle">Add Custom Attribute Mapping</h2>
                 <td>${escapeHtml(attr.attributeName)}</td>
                 <td>${escapeHtml(attr.attributeValue)}</td>
                 <td><span class="badge ${attr.syncedFromKeycloak ? 'badge-keycloak' : 'badge-local'}">
-                    ${attr.syncedFromKeycloak ? 'Keycloak' : 'Local'}
+                    ${attr.syncedFromKeycloak ? 'Keycloak' : 'Sentrius'}
                 </span></td>
                 <td>${attr.validFrom ? new Date(attr.validFrom).toLocaleDateString() : '-'}</td>
                 <td>${attr.validUntil ? new Date(attr.validUntil).toLocaleDateString() : '-'}</td>

api/src/test/java/io/sentrius/sso/controllers/api/users/UserPublicKeyApiControllerTest.java

@@ -12,6 +12,7 @@
 import io.sentrius.sso.core.services.UserCustomizationService;
 import io.sentrius.sso.core.services.SessionService;
 import io.sentrius.sso.core.services.security.CryptoService;
+import io.sentrius.sso.core.services.security.KeycloakService;
 import io.sentrius.sso.core.services.security.ZeroTrustRequestService;
 import io.sentrius.sso.core.services.security.ZeroTrustAccessTokenService;
 import io.sentrius.sso.core.services.agents.AgentService;
@@ -82,6 +83,9 @@ public class UserPublicKeyApiControllerTest {
     @Mock
     private HttpServletResponse response;
 
+    @Mock
+    private KeycloakService keycloakService;
+
     private UserApiController controller;
 
     @BeforeEach
@@ -99,7 +103,8 @@ void setUp() {
             zeroTrustRequestService, 
             zeroTrustAccessTokenService, 
             agentService, 
-            zeroTrustClientService
+            zeroTrustClientService,
+            keycloakService
         );
     }
 

core/src/main/java/io/sentrius/sso/core/dto/abac/AttributeAssignmentDTO.java

@@ -12,6 +12,7 @@ public class AttributeAssignmentDTO {
     private String username; // For display
     private String attributeName;
     private String attributeValue;
+    private String source;
     private LocalDateTime validFrom;
     private LocalDateTime validUntil;
     private boolean syncedFromKeycloak;