Added configurable options for registry and ACLs

README.md

@@ -21,7 +21,7 @@ AKHQ ACL Mapper is a custom protocol mapper for Keycloak that supports AKHQ's la
 [![Buy me a coffee](https://img.shields.io/static/v1?label=Buy%20me%20a&message=coffee&color=important&style=flat&logo=buy-me-a-coffee&logoColor=white)](https://www.buymeacoffee.com/stevenjdh)
 
 ## Features
-* Maps previous `topics-filter-regexp`, `connects-filter-regexp`, `consumer-groups-filter-regexp` group attributes to new ACLs.
+* Maps previous `topics-filter-regexp`, `connects-filter-regexp`, `consumer-groups-filter-regexp`, etc. group attributes to new ACLs.
 * Avoids use of `*-writer` roles to prevent users with `topics/create` or `connect/create` roles from creating disallowed resources.
 * Automatically creates the parent `groups` claim for the ACL substructure.
 * Basic debugging support.
@@ -74,7 +74,7 @@ bin/kc.[sh|bat] start-dev --features=scripts
 > These command examples start Keycloak in development mode for testing only. The command used for the Node.js mapper also enables the required scripts preview feature in order to be supported.
 
 ### Install custom provider for Kubernetes setups
-When using a Kubernetes setup with Keycloak installed via the Bitnami Helm Chart, modify the chart´s `values.yaml` file to include the following configuration:
+When using a Kubernetes setup with Keycloak installed via the Bitnami Helm Chart, modify the chart's `values.yaml` file to include the following configuration:
 
 **Java-based mapper**
 
@@ -110,7 +110,7 @@ containerSecurityContext:
 > The configuration used for the Node.js mapper enables the required scripts preview feature in order to be supported.
 
 ### Configure user group attributes
-Ensure that the user group attributes match the `topics-filter-regexp`, `connects-filter-regexp`, `consumer-groups-filter-regexp` keys. If they don't, then they will either need to be updated or the code/script adjusted to match.
+Ensure that the user group attributes match the `topics-filter-regexp`, `connects-filter-regexp`, and `consumer-groups-filter-regexp` keys. If they don't, then they will either need to be updated in Keycloak or the code/script adjusted to match. Additionally, the `registry-filter-regexp` and `acls-filter-regexp` keys are supported.
 
 ### Add custom protocol mapper
 In Keycloak, perform the following steps:

java/src/main/java/io/github/stevenjdh/akhq/acl/mapper/AkhqAclMapper.java

@@ -102,6 +102,8 @@ protected void setClaim(IDToken token, ProtocolMapperModel mappingModel,
             String topicFilter = group.getFirstAttribute("topics-filter-regexp");
             String groupFilter = group.getFirstAttribute("consumer-groups-filter-regexp");
             String connectFilter = group.getFirstAttribute("connects-filter-regexp");
+            String registryFilter = group.getFirstAttribute("registry-filter-regexp");
+            String aclFilter = group.getFirstAttribute("acls-filter-regexp");
 
             if (!isNullOrEmpty(topicFilter)) {
                 claimEntries.add(getClaimEntry("topic-reader", topicFilter));
@@ -115,10 +117,16 @@ protected void setClaim(IDToken token, ProtocolMapperModel mappingModel,
                 claimEntries.add(getClaimEntry("connect-reader", connectFilter));
             }
 
+            if (!isNullOrEmpty(registryFilter)) {
+                claimEntries.add(getClaimEntry("registry-reader", registryFilter));
+            }
+
+            if (!isNullOrEmpty(aclFilter)) {
+                claimEntries.add(getClaimEntry("acl-reader", aclFilter));
+            }
+
             // Avoids other unrelated user groups from appearing in token.
             if (!claimEntries.isEmpty()) {
-                claimEntries.add(getClaimEntry("registry-reader", ".*"));
-                claimEntries.add(getClaimEntry("acl-reader", ".*"));
                 groupClaims.put(groupName, claimEntries);
             }
 

java/src/test/java/io/github/stevenjdh/akhq/acl/mapper/AkhqAclMapperTest.java

@@ -148,8 +148,8 @@ void Should_SetCustomClaimWithAcls_When_UserGroupHasAttributesConfigured() {
                 Map.of("role", "topic-reader", "patterns", List.of("moe.*")),
                 Map.of("role", "group-reader", "patterns", List.of("larry.*")),
                 Map.of("role", "connect-reader", "patterns", List.of("curly.*")),
-                Map.of("role", "registry-reader", "patterns", List.of(".*")),
-                Map.of("role", "acl-reader", "patterns", List.of(".*"))
+                Map.of("role", "registry-reader", "patterns", List.of("shemp.*")),
+                Map.of("role", "acl-reader", "patterns", List.of("joe.*"))
         );
         Map<String, Object> expectedClaimValue = Map.of("foobar-group", claimEntries);
 
@@ -161,6 +161,10 @@ void Should_SetCustomClaimWithAcls_When_UserGroupHasAttributesConfigured() {
                 .thenReturn("larry.*");
         when(mockGroup.getFirstAttribute("connects-filter-regexp"))
                 .thenReturn("curly.*");
+        when(mockGroup.getFirstAttribute("registry-filter-regexp"))
+                .thenReturn("shemp.*");
+        when(mockGroup.getFirstAttribute("acls-filter-regexp"))
+                .thenReturn("joe.*");
         when(mockUser.getGroupsStream())
                 .thenReturn(Stream.of(mockGroup));
         when(mockUserSession.getUser())

nodejs/akhq-acl-mapper-script.js

@@ -55,6 +55,9 @@ groups.forEach(function(group) {
     var topicFilter = group.getFirstAttribute("topics-filter-regexp");
     var groupFilter = group.getFirstAttribute("consumer-groups-filter-regexp");
     var connectFilter = group.getFirstAttribute("connects-filter-regexp");
+    var registryFilter = group.getFirstAttribute("registry-filter-regexp");
+    var aclFilter = group.getFirstAttribute("acls-filter-regexp");
+
 
     if (topicFilter) {
         claimEntries.add(getClaimEntry("topic-reader", topicFilter));
@@ -68,10 +71,16 @@ groups.forEach(function(group) {
         claimEntries.add(getClaimEntry("connect-reader", connectFilter));
     }
 
+    if (registryFilter) {
+        claimEntries.add(getClaimEntry("registry-reader", registryFilter));
+    }
+
+    if (aclFilter) {
+        claimEntries.add(getClaimEntry("acl-reader", aclFilter));
+    }
+
     // Avoids other unrelated user groups from appearing in token.
     if (!claimEntries.isEmpty()) {
-        claimEntries.add(getClaimEntry("registry-reader", ".*"));
-        claimEntries.add(getClaimEntry("acl-reader", ".*"));
         groupClaims[groupName] = claimEntries;
     }