Add regex support in 'Condition - User attribute' execution

Closes #265
2023-09-12 12:36:14 +03:00 · 2023-09-12 12:36:14 +03:00 · 0044472f87
commit 0044472f87
parent 48ab2b1688
3 changed files with 48 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/authentication/authenticators/conditional/ConditionalUserAttributeValue.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/conditional/ConditionalUserAttributeValue.java
@ -27,6 +27,7 @@ import org.keycloak.models.utils.KeycloakModelUtils;

 import java.util.Map;
 import java.util.Objects;
+import java.util.regex.Pattern;

 public class ConditionalUserAttributeValue implements ConditionalAuthenticator {

@ -40,15 +41,16 @@ public class ConditionalUserAttributeValue implements ConditionalAuthenticator {
        String attributeValue = config.get(ConditionalUserAttributeValueFactory.CONF_ATTRIBUTE_EXPECTED_VALUE);
        boolean includeGroupAttributes = Boolean.parseBoolean(config.get(ConditionalUserAttributeValueFactory.CONF_INCLUDE_GROUP_ATTRIBUTES));
        boolean negateOutput = Boolean.parseBoolean(config.get(ConditionalUserAttributeValueFactory.CONF_NOT));
+        boolean regexOutput = Boolean.parseBoolean(config.get(ConditionalUserAttributeValueFactory.REGEX));

        UserModel user = context.getUser();
        if (user == null) {
            throw new AuthenticationFlowException("Cannot find user for obtaining particular user attributes. Authenticator: " + ConditionalUserAttributeValueFactory.PROVIDER_ID, AuthenticationFlowError.UNKNOWN_USER);
        }

-        boolean result = user.getAttributeStream(attributeName).anyMatch(attr -> Objects.equals(attr, attributeValue));
+        boolean result = user.getAttributeStream(attributeName).anyMatch(attr -> regexOutput ? Pattern.compile(attributeValue).matcher(attr).matches() : Objects.equals(attr, attributeValue));
        if (!result && includeGroupAttributes) {
-            result = KeycloakModelUtils.resolveAttribute(user, attributeName, true).stream().anyMatch(attr -> Objects.equals(attr, attributeValue));
+            result = KeycloakModelUtils.resolveAttribute(user, attributeName, true).stream().anyMatch(attr -> regexOutput ? Pattern.compile(attributeValue).matcher(attr).matches() : Objects.equals(attr, attributeValue));
        }
        return negateOutput != result;
    }
--- a/services/src/main/java/org/keycloak/authentication/authenticators/conditional/ConditionalUserAttributeValueFactory.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/conditional/ConditionalUserAttributeValueFactory.java
@ -33,6 +33,7 @@ public class ConditionalUserAttributeValueFactory implements ConditionalAuthenti
    public static final String CONF_ATTRIBUTE_EXPECTED_VALUE = "attribute_expected_value";
    public static final String CONF_INCLUDE_GROUP_ATTRIBUTES = "include_group_attributes";
    public static final String CONF_NOT = "not";
+    public static final String REGEX = "regex";

    private static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
            AuthenticationExecutionModel.Requirement.REQUIRED, AuthenticationExecutionModel.Requirement.DISABLED
@ -109,7 +110,13 @@ public class ConditionalUserAttributeValueFactory implements ConditionalAuthenti
        negateOutput.setLabel("Negate output");
        negateOutput.setHelpText("Apply a not to the check result");

-        return Arrays.asList(authNoteName, authNoteExpectedValue, includeGroupAttributes, negateOutput);
+        ProviderConfigProperty regexOutput = new ProviderConfigProperty();
+        regexOutput.setType(ProviderConfigProperty.BOOLEAN_TYPE);
+        regexOutput.setName(REGEX);
+        regexOutput.setLabel(REGEX);
+        regexOutput.setHelpText("Check equality with regex");
+
+        return Arrays.asList(authNoteName, authNoteExpectedValue, includeGroupAttributes, negateOutput, regexOutput);
    }

    @Override
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest.java
@ -146,6 +146,42 @@ public class AllowDenyAuthenticatorTest extends AbstractTestRealmKeycloakTest {
        }
    }

+    @Test
+    public void testDenyAccessWithRegexUserAttributeCondition() {
+        final String flowAlias = "browser - user attribute condition";
+        final String userWithoutAttribute = "test-user@localhost";
+        final String errorMessage = "You don't have necessary attribute.";
+
+        Map<String, String> attributeConfigMap = new HashMap<>();
+        attributeConfigMap.put(ConditionalUserAttributeValueFactory.CONF_ATTRIBUTE_NAME, "firstName");
+        attributeConfigMap.put(ConditionalUserAttributeValueFactory.CONF_ATTRIBUTE_EXPECTED_VALUE, "T(.*)");
+        attributeConfigMap.put(ConditionalUserAttributeValueFactory.REGEX, "true");
+
+        Map<String, String> denyAccessConfigMap = new HashMap<>();
+        denyAccessConfigMap.put(DenyAccessAuthenticatorFactory.ERROR_MESSAGE, errorMessage);
+
+        configureBrowserFlowWithDenyAccessInConditionalFlow(flowAlias, ConditionalUserAttributeValueFactory.PROVIDER_ID, attributeConfigMap, denyAccessConfigMap);
+
+        try {
+            loginUsernameOnlyPage.open();
+            loginUsernameOnlyPage.assertCurrent();
+            loginUsernameOnlyPage.login(userWithoutAttribute);
+
+            errorPage.assertCurrent();
+            assertThat(errorPage.getError(), is(errorMessage));
+
+            events.expectLogin()
+                    .user((String) null)
+                    .session((String) null)
+                    .error(Errors.ACCESS_DENIED)
+                    .detail(Details.USERNAME, userWithoutAttribute)
+                    .removeDetail(Details.CONSENT)
+                    .assertEvent();
+        } finally {
+            revertFlows(testRealm(), flowAlias);
+        }
+    }
+
    /**
     * Deny access, if user has defined the role and print error message.
     */