Fix for missing object representation in admin event log when deleting user, group, client (#43620)

* Fix for missing object representation in admin event log when deleting user, group, client

Closes #33009

Signed-off-by: jwozniakowski <wozniakowski@netguardians.ch>

* Fix issues and add role representation when deleting a role

Closes #33009

Signed-off-by: Martin Kanis <mkanis@redhat.com>

---------

Signed-off-by: jwozniakowski <wozniakowski@netguardians.ch>
Signed-off-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: jwozniakowski <wozniakowski@netguardians.ch>

services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java

@@ -257,6 +257,10 @@ public class ClientResource {
 
         AdminPermissionsSchema.SCHEMA.throwExceptionIfAdminPermissionClient(session, client.getId());
 
+        ClientRepresentation clientRepresentation = new ClientRepresentation();
+        clientRepresentation.setId(client.getId());
+        clientRepresentation.setClientId(client.getClientId());
+
         try {
             session.clientPolicy().triggerOnEvent(new AdminClientUnregisterContext(client, auth.adminAuth()));
         } catch (ClientPolicyException cpe) {
@@ -264,7 +268,7 @@ public class ClientResource {
         }
 
         if (new ClientManager(new RealmManager(session)).removeClient(realm, client)) {
-            adminEvent.operation(OperationType.DELETE).resourcePath(session.getContext().getUri()).success();
+            adminEvent.operation(OperationType.DELETE).representation(clientRepresentation).resourcePath(session.getContext().getUri()).success();
         }
         else {
             throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Could not delete client",

services/src/main/java/org/keycloak/services/resources/admin/GroupResource.java

@@ -166,9 +166,12 @@ public class GroupResource {
     @Operation()
     public void deleteGroup() {
         this.auth.groups().requireManage(group);
+        GroupRepresentation groupRepresentation = new GroupRepresentation();
+        groupRepresentation.setId(group.getId());
+        groupRepresentation.setName(group.getName());
 
         realm.removeGroup(group);
-        adminEvent.operation(OperationType.DELETE).resourcePath(session.getContext().getUri()).success();
+        adminEvent.operation(OperationType.DELETE).representation(groupRepresentation).resourcePath(session.getContext().getUri()).success();
     }
 
     @GET

services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java

@@ -283,6 +283,10 @@ public class RoleContainerResource extends RoleResource {
             throw ErrorResponse.error(roleName + " is default role of the realm and cannot be removed.",
                     Response.Status.BAD_REQUEST);
         }
+        RoleRepresentation roleRepresentation = new RoleRepresentation();
+        roleRepresentation.setId(role.getId());
+        roleRepresentation.setName(role.getName());
+
         deleteRole(role);
 
         if (role.isClientRole()) {
@@ -291,7 +295,7 @@ public class RoleContainerResource extends RoleResource {
             adminEvent.resource(ResourceType.REALM_ROLE);
         }
 
-        adminEvent.operation(OperationType.DELETE).resourcePath(uriInfo).success();
+        adminEvent.operation(OperationType.DELETE).representation(roleRepresentation).resourcePath(uriInfo).success();
 
     }
 

services/src/main/java/org/keycloak/services/resources/admin/UserResource.java

@@ -706,9 +706,13 @@ public class UserResource {
     public Response deleteUser() {
         auth.users().requireManage(user);
 
+        UserRepresentation userRepresentation = new UserRepresentation();
+        userRepresentation.setId(user.getId());
+        userRepresentation.setUsername(user.getUsername());
+
         boolean removed = new UserManager(session).removeUser(realm, user);
         if (removed) {
-            adminEvent.operation(OperationType.DELETE).resourcePath(session.getContext().getUri()).success();
+            adminEvent.operation(OperationType.DELETE).representation(userRepresentation).resourcePath(session.getContext().getUri()).success();
             return Response.noContent().build();
         } else {
             throw ErrorResponse.error("User couldn't be deleted", Status.BAD_REQUEST);

test-framework/examples/tests/src/test/java/org/keycloak/test/examples/AdminEventsTest.java

@@ -57,11 +57,15 @@ public class AdminEventsTest {
 
         adminClient.realm(realm.getName()).users().delete(userId);
 
+        UserRepresentation extectedRep = new UserRepresentation();
+        extectedRep.setId(userRep.getId());
+        extectedRep.setUsername(userName);
+
         AdminEventAssertion.assertSuccess(adminEvents.poll())
                 .operationType(OperationType.DELETE)
                 .resourceType(ResourceType.USER)
                 .resourcePath("users", userId)
-                .representation(null);
+                .representation(extectedRep);
     }
 
     @Test

tests/base/src/test/java/org/keycloak/tests/admin/user/AbstractUserTest.java

@@ -210,7 +210,10 @@ public class AbstractUserTest {
         try (Response response = managedRealm.admin().users().delete(id)) {
             assertEquals(204, response.getStatus());
         }
-        AdminEventAssertion.assertEvent(adminEvents.poll(), OperationType.DELETE, AdminEventPaths.userResourcePath(id), ResourceType.USER);
+        AdminEventRepresentation event = adminEvents.poll();
+        AdminEventAssertion.assertEvent(event, OperationType.DELETE, AdminEventPaths.userResourcePath(id), ResourceType.USER);
+        Assertions.assertNotNull(event.getRepresentation());
+        Assertions.assertTrue(event.getRepresentation().contains(id));
     }
 
     protected void addFederatedIdentity(String keycloakUserId, String identityProviderAlias1,