added variable to disable scripts (#41)

p2-inc · Nov 2, 2023 · 9ee0291 · 9ee0291
1 parent bbf6974
commit 9ee0291
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -184,8 +184,12 @@ There is also a custom REST resource that allows publishing of arbitrary events.
 | `/auth/realms/:realm/events` | `POST` | Event object | `202 = Event received`<br/>`400 = Malformed event`<br/>`403 = API rate limit exceeded`<br/>`409 = Reserved event type` | Publish event |
 
 
-#### For system owners
+### For system owners
 
+#### Scripts
+It is possible to disable the scripts run by the `ScriptEventListenerProvider` by setting `SCRIPTS_DISABLED=true`. This may be desirable in shared environments where it is not ideal to allow user code to run in the Keycloak process. Note that this will just cause the scripts to fail silently.
+
+#### Webhooks
 There is a special catch-all webhook that can be used by system owners to always send events to an endpoint, even though it is not defined as a manageable webhook entity. Set the `WEBHOOK_URI` AND `WEBHOOK_SECRET` environtment variables, and all events will be sent to this endpoint. This is used, for example, in cases where system owners want to send events to a more scalable store.
 
 ---

diff --git a/pom.xml b/pom.xml
@@ -30,7 +30,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <main.java.package>io.phasetwo.keycloak.events</main.java.package>
     <junit.version>4.13.2</junit.version>
-    <keycloak.version>22.0.4</keycloak.version>
+    <keycloak.version>22.0.5</keycloak.version>
     <lombok.version>1.18.30</lombok.version>
     <auto-service.version>1.1.1</auto-service.version>
     <ossrh.url>https://s01.oss.sonatype.org</ossrh.url>

diff --git a/src/main/java/io/phasetwo/keycloak/events/ScriptEventListenerProvider.java b/src/main/java/io/phasetwo/keycloak/events/ScriptEventListenerProvider.java
@@ -17,16 +17,19 @@
 @JBossLog
 public class ScriptEventListenerProvider implements EventListenerProvider, Configurable {
 
+  protected static final String SCRIPTS_DISABLED_ENV = "SCRIPTS_DISABLED";
   protected static final String ON_EVENT_FUNCTION_NAME = "onEvent";
   protected static final String ON_ADMIN_EVENT_FUNCTION_NAME = "onAdminEvent";
   protected static final String SCRIPT_CODE = "scriptCode";
   protected static final String SCRIPT_NAME = "scriptName";
   protected static final String SCRIPT_DESCRIPTION = "scriptDescription";
 
   protected final KeycloakSession session;
-
+  protected final boolean scriptsDisabled;
+
   public ScriptEventListenerProvider(KeycloakSession session) {
     this.session = session;
+    this.scriptsDisabled = Boolean.parseBoolean(System.getenv(SCRIPTS_DISABLED_ENV));
   }
 
   protected Map<String, Object> config;
@@ -38,6 +41,7 @@ public void setConfig(Map<String, Object> config) {
 
   @Override
   public void onEvent(Event event) {
+    if (scriptsDisabled) return;
     log.debugf("run event in js\n%s", config.get(SCRIPT_CODE).toString());
     InvocableScriptAdapter invocableScriptAdapter =
         getInvocableScriptAdapter(
@@ -54,6 +58,7 @@ public void onEvent(Event event) {
 
   @Override
   public void onEvent(AdminEvent event, boolean b) {
+    if (scriptsDisabled) return;
     log.debugf("run admin event in js\n%s", config.get(SCRIPT_CODE).toString());
     InvocableScriptAdapter invocableScriptAdapter =
         getInvocableScriptAdapter(