Merge pull request #15 from cmu-sei/fixing-keycloak-bug

sei-npacheco · web-flow · commit fe7847580887 · 2025-05-21T16:45:41.000-04:00
fixed keycloak redirect bug
diff --git a/classes/crucible.php b/classes/crucible.php
@@ -1306,6 +1306,9 @@ public function get_keycloak_groups() {
             return 0;
         }
 
+        // Convert /admin/{realm}/console → /admin/realms/{realm}
+        $url = preg_replace('#/admin/([^/]+)/console$#', '/realms/$1', rtrim($url, '/'));
+
         $url .= "/protocol/openid-connect/token";
 
         $issuerid = get_config('block_crucible', 'issuerid');
@@ -1351,25 +1354,44 @@ public function get_keycloak_groups() {
         // Initialize cURL.
         $ch = curl_init();
 
-        // Web request
+        // Set the headers with the Authorization token.
+        $headers = [
+            "Authorization: Bearer $accessToken",
+        ];
+
         $realmUrl = get_config('block_crucible', 'keycloakadminurl');
         if (empty($realmUrl)) {
             return 0;
         }
 
-        $userid = $USER->idnumber;
+        $realmUrl = preg_replace('#/admin/([^/]+)/console$#', '/admin/realms/$1', rtrim($realmUrl, '/'));
+
+        $username = $USER->username;
+
+        // Build user search URL
+        $userSearchUrl = $realmUrl . '/users?username=' . urlencode($username);
 
-        $realmUrl = rtrim($realmUrl, '/');
-        if (strpos($realmUrl, '/admin/realms/') === false && strpos($realmUrl, '/realms/') !== false) {
-            $realmUrl = str_replace('/realms/', '/admin/realms/', $realmUrl);
+        // Prepare request
+        curl_setopt($ch, CURLOPT_URL, $userSearchUrl);
+        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
+
+        $response = curl_exec($ch);
+        curl_close($ch);
+
+        $userlist = json_decode($response, true);
+
+        // Defensive check
+        if (!is_array($userlist) || empty($userlist)) {
+            debugging("No users found in Keycloak matching username: $username", DEBUG_DEVELOPER);
+            return 0;
         }
 
-        $groupUrl = $realmUrl . '/users/' . urlencode($userid) . '/groups';
+        // Get the Keycloak UUID
+        $keycloakUserid = $userlist[0]['id'];
 
-        // Set the headers with the Authorization token.
-        $headers = [
-            "Authorization: Bearer $accessToken",
-        ];
+        $groupUrl = $realmUrl . '/users/' . urlencode($keycloakUserid) . '/groups';
 
         // Set cURL options for a GET request.
         curl_setopt($ch, CURLOPT_URL, $groupUrl);
@@ -1379,6 +1401,7 @@ public function get_keycloak_groups() {
 
         // Execute the request and capture the response.
         $response = curl_exec($ch);
+
         curl_close($ch);
 
         // Check for errors and close the session.
@@ -1424,6 +1447,8 @@ public function get_keycloak_roles() {
             return 0;
         }
 
+        $url = preg_replace('#/admin/([^/]+)/console$#', '/realms/$1', rtrim($url, '/'));
+
         $url .= "/protocol/openid-connect/token";
 
         $issuerid = get_config('block_crucible', 'issuerid');
@@ -1472,21 +1497,40 @@ public function get_keycloak_roles() {
             return 0;
         }
 
-        $userid = $USER->idnumber;
+        $realmUrl = preg_replace('#/admin/([^/]+)/console$#', '/admin/realms/$1', rtrim($realmUrl, '/'));
 
-        // Normalize and convert to admin API path
-        $realmUrl = rtrim($realmUrl, '/');
-        if (strpos($realmUrl, '/admin/realms/') === false && strpos($realmUrl, '/realms/') !== false) {
-            $realmUrl = str_replace('/realms/', '/admin/realms/', $realmUrl);
-        }
-
-        $roleUrl = $realmUrl . '/users/' . urlencode($userid) . '/role-mappings/realm';
+        $username = $USER->username;
 
         // Set the headers with the Authorization token.
         $headers = [
             "Authorization: Bearer $accessToken",
         ];
 
+        // Build user search URL
+        $userSearchUrl = $realmUrl . '/users?username=' . urlencode($username);
+
+        // Prepare request
+        curl_setopt($ch, CURLOPT_URL, $userSearchUrl);
+        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
+
+        $response = curl_exec($ch);
+        curl_close($ch);
+
+        $userlist = json_decode($response, true);
+
+        // Defensive check
+        if (!is_array($userlist) || empty($userlist)) {
+            debugging("No users found in Keycloak matching username: $username", DEBUG_DEVELOPER);
+            return 0;
+        }
+
+        // Get the Keycloak UUID
+        $keycloakUserid = $userlist[0]['id'];
+
+        $roleUrl = $realmUrl . '/users/' . urlencode($keycloakUserid) . '/role-mappings/realm';
+
         // Set cURL options for a GET request.
         curl_setopt($ch, CURLOPT_URL, $roleUrl);
         curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
diff --git a/version.php b/version.php
@@ -42,7 +42,7 @@
 
 defined('MOODLE_INTERNAL') || die;
 
-$plugin->version = 2025052000;
+$plugin->version = 2025052101;
 $plugin->requires  = 2021051100;
 $plugin->component = 'block_crucible';
 $plugin->maturity = MATURITY_ALPHA;
