Add regex role mapper example

schlijo · Sep 22, 2021 · f893018 · f893018
1 parent 2f2f06d
commit f893018
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 0 deletions.
diff --git a/regex-role-mapper/README.md b/regex-role-mapper/README.md
@@ -0,0 +1,66 @@
+## Using a regex role mapper 
+
+This example demonstrates the use of `regex-role-mapper` resource that was added to elytron subsystem in order to simplify a mapping of roles in the Elytron security domain to other roles with the use of regular expressions.
+
+### Set Up
+
+Clone the ```elytron-examples``` repo locally:
+
+```
+git clone https://github.com/wildfly-security-incubator/elytron-examples
+cd elytron-examples/regex-role-mapper
+```
+
+### Server configuration
+
+Run the server with:
+
+```
+$SERVER_HOME/bin/standalone.sh
+```
+
+The following command can now be used to configure the ```regex-role-mapper``` in the subsystem.
+
+```
+$SERVER_HOME/bin/jboss-cli.sh --connect --file=$PATH_TO_ELYTRON_EXAMPLES/regex-role-mapper/configure-elytron.cli
+```
+
+The configure-elytron.cli script configured the server to use the regular expression role mapper that maps the roles to only represent a last letters of a role that are after the last `-` sign.
+In other words it maps roles that match .*-([a-z]*) to the role $1.
+
+Then the script added a user `joe` with the following roles: `["123-user","123-admin"]`
+
+
+### Test regex role mapper
+
+Now connect to the WildFly CLI with 
+
+```
+$SERVER_HOME/bin/jboss-cli.sh --connect 
+```
+
+and run the following command:
+
+```
+/subsystem=elytron/security-domain=mySD:read-identity(name=joe)
+```
+
+you will see the following output:
+```
+{
+    "outcome" => "success",
+    "result" => {
+        "name" => "joe",
+        "attributes" => {"Roles" => [
+            "123-user",
+            "123-admin"
+        ]},
+        "roles" => [
+            "admin",
+            "user"
+        ]
+    }
+}
+```
+
+The above output means that the regex role mapper successfully mapped roles from the `Roles` attribute to be `admin` and `user` only.
diff --git a/regex-role-mapper/configure-elytron.cli b/regex-role-mapper/configure-elytron.cli
@@ -0,0 +1,24 @@
+# Batch script to enable elytron for the quickstart application in the JBoss EAP server
+
+# Start batching commands
+batch
+
+/subsystem=elytron/filesystem-realm=myFsRealm:add(path=my-fs-realm-users,relative-to=jboss.server.config.dir)
+
+/subsystem=elytron/filesystem-realm=myFsRealm:add-identity(identity=joe)
+
+/subsystem=elytron/filesystem-realm=myFsRealm:add-identity-attribute(identity=joe, name=Roles, value=["123-user","123-admin"])
+
+/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
+
+/subsystem=elytron/regex-role-mapper=rrm:add(pattern=".*-([a-z]*)", replacement="$1", keep-non-mapped="false", replace-all="false")
+
+/subsystem=elytron/security-domain=mySD:add(realms=[{realm=myFsRealm,role-decoder=from-roles-attribute}],role-mapper=rrm,default-realm=myFsRealm,permission-mapper=default-permission-mapper)
+
+# Run the batch commands
+run-batch
+
+# Reload the server configuration
+reload
+
+
diff --git a/regex-role-mapper/restore.cli b/regex-role-mapper/restore.cli
@@ -0,0 +1,12 @@
+/subsystem=elytron/security-domain=mySD:remove()
+
+/subsystem=elytron/regex-role-mapper=rrm:remove()
+
+/subsystem=elytron/simple-role-decoder=from-roles-attribute:remove()
+
+/subsystem=elytron/filesystem-realm=myFsRealm:remove-identity(identity=joe)
+
+/subsystem=elytron/filesystem-realm=myFsRealm:remove()
+
+reload
+