feat(authorization): Trigger migration automatically

oheger-bosch · oheger-bosch · commit 68767bf34ce1 · 2025-11-07T14:32:55.000+01:00
Instead of doing a synchronization of roles in Keycloak, trigger a
migration to new access rights structures on startup of the core
component.

Signed-off-by: Oliver Heger &lt;oliver.heger@bosch.com&gt;
diff --git a/core/src/main/kotlin/di/Module.kt b/core/src/main/kotlin/di/Module.kt
@@ -22,11 +22,13 @@ package org.eclipse.apoapsis.ortserver.core.di
 import com.typesafe.config.ConfigFactory
 
 import io.ktor.server.config.ApplicationConfig
+import io.ktor.server.config.tryGetString
 
 import kotlinx.serialization.json.Json
 
 import org.eclipse.apoapsis.ortserver.clients.keycloak.DefaultKeycloakClient
 import org.eclipse.apoapsis.ortserver.clients.keycloak.KeycloakClient
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.migration.RolesToDbMigration
 import org.eclipse.apoapsis.ortserver.components.authorization.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.components.authorization.service.DbAuthorizationService
 import org.eclipse.apoapsis.ortserver.components.authorization.service.KeycloakUserService
@@ -210,4 +212,17 @@ fun ortServerModule(config: ApplicationConfig, db: Database?, authorizationServi
     singleOf(::PluginService)
     singleOf(::PluginTemplateEventStore)
     singleOf(::PluginTemplateService)
+
+    single { RolesToDbMigration(get(), get(), getKeycloakGroupPrefix(config), get()) }
 }
+
+/**
+ * Retrieve the prefix for Keycloak groups representing roles for hierarchy elements from the given [config]. This is
+ * needed for the migration of roles managed by Keycloak to roles stored in the database. The prefix is obtained from
+ * the configuration of the authorization component based on Keycloak. It is, however, possible to override it via a
+ * special property for the migration. This is useful for instance, to test the migration on different ORT Server
+ * deployments, e.g. a test environment.
+ */
+private fun getKeycloakGroupPrefix(config: ApplicationConfig): String =
+    config.tryGetString("keycloak.migrationGroupPrefix")
+        ?: config.tryGetString("keycloak.groupPrefix").orEmpty()
diff --git a/core/src/main/kotlin/plugins/Lifecycle.kt b/core/src/main/kotlin/plugins/Lifecycle.kt
@@ -26,8 +26,8 @@ import kotlin.concurrent.thread
 
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.migration.RolesToDbMigration
 
-import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.service.AuthorizationService
 import org.eclipse.apoapsis.ortserver.utils.logging.runBlocking
 import org.eclipse.apoapsis.ortserver.utils.logging.withMdcContext
 
@@ -41,26 +41,28 @@ import org.slf4j.MDC
  */
 fun Application.configureLifecycle() {
     monitor.subscribe(ApplicationStarted) {
-        val authorizationService by inject<AuthorizationService>()
+        val rolesMigration by inject<RolesToDbMigration>()
 
         val mdcContext = MDC.getCopyOfContextMap()
 
         thread {
             MDC.setContextMap(mdcContext)
             runBlocking(Dispatchers.IO) {
-                syncRoles(authorizationService)
+                migrateRoles(rolesMigration)
             }
         }
     }
 }
 
 /**
- * Trigger the synchronization of permissions and roles in Keycloak. The synchronization then runs in the background.
+ * Perform a migration to new database-based structures for access rights if necessary. This makes sure that the
+ * new structures are populated once when switching from access rights stored in Keycloak to the new storage in the
+ * database. The migration then runs in the background.
  */
-private suspend fun syncRoles(authorizationService: AuthorizationService) {
+private suspend fun migrateRoles(migration: RolesToDbMigration) {
     withMdcContext("component" to "core") {
         launch {
-            authorizationService.ensureSuperuserAndSynchronizeRolesAndPermissions()
+            migration.migrateRolesToDb()
         }
     }
 }
diff --git a/core/src/main/resources/application.conf b/core/src/main/resources/application.conf
@@ -74,6 +74,7 @@ keycloak {
   subjectClientId = ${?KEYCLOAK_SUBJECT_CLIENT_ID}
   groupPrefix = ""
   groupPrefix = ${?KEYCLOAK_GROUP_PREFIX}
+  migrationGroupPrefix = ${?KEYCLOAK_MIGRATION_GROUP_PREFIX}
   timeoutSeconds = 60
   timeoutSeconds = ${?KEYCLOAK_TIMEOUT_SECONDS}
 }

Original file line number	Diff line number	Diff line change
`@@ -26,8 +26,8 @@ import kotlin.concurrent.thread`
`26`	`26`
`27`	`27`	`import kotlinx.coroutines.Dispatchers`
`28`	`28`	`import kotlinx.coroutines.launch`
	`29`	`+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.migration.RolesToDbMigration`
`29`	`30`
`30`		`-import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.service.AuthorizationService`
`31`	`31`	`import org.eclipse.apoapsis.ortserver.utils.logging.runBlocking`
`32`	`32`	`import org.eclipse.apoapsis.ortserver.utils.logging.withMdcContext`
`33`	`33`
`@@ -41,26 +41,28 @@ import org.slf4j.MDC`
`41`	`41`	`*/`
`42`	`42`	`fun Application.configureLifecycle() {`
`43`	`43`	`monitor.subscribe(ApplicationStarted) {`
`44`		`- val authorizationService by inject<AuthorizationService>()`
	`44`	`+ val rolesMigration by inject<RolesToDbMigration>()`
`45`	`45`
`46`	`46`	`val mdcContext = MDC.getCopyOfContextMap()`
`47`	`47`
`48`	`48`	`thread {`
`49`	`49`	`MDC.setContextMap(mdcContext)`
`50`	`50`	`runBlocking(Dispatchers.IO) {`
`51`		`- syncRoles(authorizationService)`
	`51`	`+ migrateRoles(rolesMigration)`
`52`	`52`	`}`
`53`	`53`	`}`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`/**`
`58`		`- * Trigger the synchronization of permissions and roles in Keycloak. The synchronization then runs in the background.`
	`58`	`+ * Perform a migration to new database-based structures for access rights if necessary. This makes sure that the`
	`59`	`+ * new structures are populated once when switching from access rights stored in Keycloak to the new storage in the`
	`60`	`+ * database. The migration then runs in the background.`
`59`	`61`	`*/`
`60`		`-private suspend fun syncRoles(authorizationService: AuthorizationService) {`
	`62`	`+private suspend fun migrateRoles(migration: RolesToDbMigration) {`
`61`	`63`	`withMdcContext("component" to "core") {`
`62`	`64`	`launch {`
`63`		`- authorizationService.ensureSuperuserAndSynchronizeRolesAndPermissions()`
	`65`	`+ migration.migrateRolesToDb()`
`64`	`66`	`}`
`65`	`67`	`}`
`66`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,7 @@ keycloak {`
`74`	`74`	`subjectClientId = ${?KEYCLOAK_SUBJECT_CLIENT_ID}`
`75`	`75`	`groupPrefix = ""`
`76`	`76`	`groupPrefix = ${?KEYCLOAK_GROUP_PREFIX}`
	`77`	`+ migrationGroupPrefix = ${?KEYCLOAK_MIGRATION_GROUP_PREFIX}`
`77`	`78`	`timeoutSeconds = 60`
`78`	`79`	`timeoutSeconds = ${?KEYCLOAK_TIMEOUT_SECONDS}`
`79`	`80`	`}`