refactor execution model

connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.5.0.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+    <changeSet author="bburke@redhat.com" id="1.5.0">
+        <delete tableName="CLIENT_SESSION_AUTH_STATUS"/>
+        <delete tableName="CLIENT_SESSION_ROLE"/>
+        <delete tableName="CLIENT_SESSION_PROT_MAPPER"/>
+        <delete tableName="CLIENT_SESSION_NOTE"/>
+        <delete tableName="CLIENT_SESSION"/>
+        <delete tableName="USER_SESSION_NOTE"/>
+        <delete tableName="USER_SESSION"/>
+
+        <dropColumn tableName="AUTHENTICATION_EXECUTION" columnName="USER_SETUP_ALLOWED"/>
+    </changeSet>
+</databaseChangeLog>

connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-master.xml

@@ -8,4 +8,5 @@
     <include file="META-INF/jpa-changelog-1.2.0.Final.xml"/>
     <include file="META-INF/jpa-changelog-1.3.0.xml"/>
     <include file="META-INF/jpa-changelog-1.4.0.xml"/>
+    <include file="META-INF/jpa-changelog-1.5.0.xml"/>
 </databaseChangeLog>

connections/jpa/src/main/java/org/keycloak/connections/jpa/updater/JpaUpdaterProvider.java

@@ -12,7 +12,7 @@ public interface JpaUpdaterProvider extends Provider {
 
     public String FIRST_VERSION = "1.0.0.Final";
 
-    public String LAST_VERSION = "1.4.0";
+    public String LAST_VERSION = "1.5.0";
 
     public String getCurrentVersionSql(String defaultSchema);
 

model/api/src/main/java/org/keycloak/models/AuthenticationExecutionModel.java

@@ -25,7 +25,6 @@ public class AuthenticationExecutionModel implements Serializable {
     private String flowId;
     private boolean authenticatorFlow;
     private Requirement requirement;
-    private boolean userSetupAllowed;
     private int priority;
     private String parentFlow;
 
@@ -69,14 +68,6 @@ public class AuthenticationExecutionModel implements Serializable {
         this.priority = priority;
     }
 
-    public boolean isUserSetupAllowed() {
-        return userSetupAllowed;
-    }
-
-    public void setUserSetupAllowed(boolean userSetupAllowed) {
-        this.userSetupAllowed = userSetupAllowed;
-    }
-
     public String getParentFlow() {
         return parentFlow;
     }

model/api/src/main/java/org/keycloak/models/utils/DefaultAuthenticationFlows.java

@@ -55,7 +55,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
         execution.setAuthenticator("registration-page-form");
         execution.setPriority(10);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(true);
         execution.setFlowId(registrationFormFlow.getId());
         realm.addAuthenticatorExecution(execution);
@@ -65,7 +64,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
         execution.setAuthenticator("registration-user-creation");
         execution.setPriority(20);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
 
@@ -74,7 +72,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
         execution.setAuthenticator("registration-profile-action");
         execution.setPriority(40);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
 
@@ -83,7 +80,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
         execution.setAuthenticator("registration-password-action");
         execution.setPriority(50);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
 
@@ -99,7 +95,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
         execution.setAuthenticator("registration-recaptcha-action");
         execution.setPriority(60);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         //execution.setAuthenticatorConfig(captchaConfig.getId());
         realm.addAuthenticatorExecution(execution);
@@ -137,7 +132,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
         execution.setAuthenticator("direct-grant-validate-username");
         execution.setPriority(10);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
 
@@ -150,7 +144,6 @@ public class DefaultAuthenticationFlows {
         }
         execution.setAuthenticator("direct-grant-validate-password");
         execution.setPriority(20);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
 
@@ -163,7 +156,6 @@ public class DefaultAuthenticationFlows {
         }
         execution.setAuthenticator("direct-grant-validate-otp");
         execution.setPriority(30);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
 
@@ -184,7 +176,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
         execution.setAuthenticator("auth-cookie");
         execution.setPriority(10);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
         execution = new AuthenticationExecutionModel();
@@ -196,7 +187,6 @@ public class DefaultAuthenticationFlows {
         }
         execution.setAuthenticator("auth-spnego");
         execution.setPriority(20);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
 
@@ -213,7 +203,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
         execution.setFlowId(forms.getId());
         execution.setPriority(30);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(true);
         realm.addAuthenticatorExecution(execution);
 
@@ -224,7 +213,6 @@ public class DefaultAuthenticationFlows {
         execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
         execution.setAuthenticator("auth-username-password-form");
         execution.setPriority(10);
-        execution.setUserSetupAllowed(false);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
 
@@ -239,7 +227,6 @@ public class DefaultAuthenticationFlows {
 
         execution.setAuthenticator("auth-otp-form");
         execution.setPriority(20);
-        execution.setUserSetupAllowed(true);
         execution.setAuthenticatorFlow(false);
         realm.addAuthenticatorExecution(execution);
     }

model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java

@@ -468,7 +468,6 @@ public class ModelToRepresentation {
             rep.setFlowAlias(flow.getAlias());
        }
         rep.setPriority(model.getPriority());
-        rep.setUserSetupAllowed(model.isUserSetupAllowed());
         rep.setRequirement(model.getRequirement().name());
         return rep;
     }

model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java

@@ -1083,7 +1083,6 @@ public class RepresentationToModel {
             model.setFlowId(flow.getId());
         }
         model.setPriority(rep.getPriority());
-        model.setUserSetupAllowed(rep.isUserSetupAllowed());
         model.setRequirement(AuthenticationExecutionModel.Requirement.valueOf(rep.getRequirement()));
         return model;
     }

model/file/src/main/java/org/keycloak/models/file/adapter/RealmAdapter.java

@@ -1308,7 +1308,6 @@ public class RealmAdapter implements RealmModel {
     public AuthenticationExecutionModel entityToModel(AuthenticationExecutionEntity entity) {
         AuthenticationExecutionModel model = new AuthenticationExecutionModel();
         model.setId(entity.getId());
-        model.setUserSetupAllowed(entity.isUserSetupAllowed());
         model.setRequirement(entity.getRequirement());
         model.setPriority(entity.getPriority());
         model.setAuthenticator(entity.getAuthenticator());
@@ -1345,7 +1344,6 @@ public class RealmAdapter implements RealmModel {
         entity.setAuthenticator(model.getAuthenticator());
         entity.setPriority(model.getPriority());
         entity.setRequirement(model.getRequirement());
-        entity.setUserSetupAllowed(model.isUserSetupAllowed());
         entity.setAuthenticatorFlow(model.isAuthenticatorFlow());
         entity.setFlowId(model.getFlowId());
         entity.setAuthenticatorConfig(model.getAuthenticatorConfig());
@@ -1371,7 +1369,6 @@ public class RealmAdapter implements RealmModel {
         entity.setPriority(model.getPriority());
         entity.setRequirement(model.getRequirement());
         entity.setFlowId(model.getFlowId());
-        entity.setUserSetupAllowed(model.isUserSetupAllowed());
         entity.setAuthenticatorConfig(model.getAuthenticatorConfig());
     }
 

model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java

@@ -1622,7 +1622,6 @@ public class RealmAdapter implements RealmModel {
     public AuthenticationExecutionModel entityToModel(AuthenticationExecutionEntity entity) {
         AuthenticationExecutionModel model = new AuthenticationExecutionModel();
         model.setId(entity.getId());
-        model.setUserSetupAllowed(entity.isUserSetupAllowed());
         model.setRequirement(entity.getRequirement());
         model.setPriority(entity.getPriority());
         model.setAuthenticator(entity.getAuthenticator());
@@ -1654,7 +1653,6 @@ public class RealmAdapter implements RealmModel {
         entity.setParentFlow(flow);
         flow.getExecutions().add(entity);
         entity.setRealm(realm);
-        entity.setUserSetupAllowed(model.isUserSetupAllowed());
         entity.setAutheticatorFlow(model.isAuthenticatorFlow());
         em.persist(entity);
         em.flush();
@@ -1671,7 +1669,6 @@ public class RealmAdapter implements RealmModel {
         entity.setAuthenticator(model.getAuthenticator());
         entity.setPriority(model.getPriority());
         entity.setRequirement(model.getRequirement());
-        entity.setUserSetupAllowed(model.isUserSetupAllowed());
         entity.setAuthenticatorConfig(model.getAuthenticatorConfig());
         entity.setFlowId(model.getFlowId());
         em.flush();

model/jpa/src/main/java/org/keycloak/models/jpa/entities/AuthenticationExecutionEntity.java

@@ -51,9 +51,6 @@ public class AuthenticationExecutionEntity {
     @Column(name="PRIORITY")
     protected int priority;
 
-    @Column(name="USER_SETUP_ALLOWED")
-    private boolean userSetupAllowed;
-
     @Column(name="AUTHENTICATOR_FLOW")
     private boolean autheticatorFlow;
 
@@ -97,14 +94,6 @@ public class AuthenticationExecutionEntity {
         this.priority = priority;
     }
 
-    public boolean isUserSetupAllowed() {
-        return userSetupAllowed;
-    }
-
-    public void setUserSetupAllowed(boolean userSetupAllowed) {
-        this.userSetupAllowed = userSetupAllowed;
-    }
-
     public boolean isAutheticatorFlow() {
         return autheticatorFlow;
     }

model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java

@@ -1384,7 +1384,6 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
     public AuthenticationExecutionModel entityToModel(AuthenticationExecutionEntity entity) {
         AuthenticationExecutionModel model = new AuthenticationExecutionModel();
         model.setId(entity.getId());
-        model.setUserSetupAllowed(entity.isUserSetupAllowed());
         model.setRequirement(entity.getRequirement());
         model.setPriority(entity.getPriority());
         model.setAuthenticator(entity.getAuthenticator());
@@ -1421,7 +1420,6 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
         entity.setAuthenticator(model.getAuthenticator());
         entity.setPriority(model.getPriority());
         entity.setRequirement(model.getRequirement());
-        entity.setUserSetupAllowed(model.isUserSetupAllowed());
         entity.setAuthenticatorFlow(model.isAuthenticatorFlow());
         entity.setFlowId(model.getFlowId());
         entity.setParentFlow(model.getParentFlow());
@@ -1449,7 +1447,6 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
         entity.setPriority(model.getPriority());
         entity.setRequirement(model.getRequirement());
         entity.setFlowId(model.getFlowId());
-        entity.setUserSetupAllowed(model.isUserSetupAllowed());
         entity.setAuthenticatorConfig(model.getAuthenticatorConfig());
         updateMongoEntity();
     }

services/src/main/java/org/keycloak/authentication/ConfigurableAuthenticatorFactory.java

@@ -25,4 +25,14 @@ public interface ConfigurableAuthenticatorFactory extends ConfiguredProvider {
      * @return
      */
     AuthenticationExecutionModel.Requirement[] getRequirementChoices();
+
+    /**
+     *
+     * Does this authenticator have required actions that can set if the user does not have
+     * this authenticator set up?
+     *
+     *
+     * @return
+     */
+    boolean isUserSetupAllowed();
 }

services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java

@@ -124,7 +124,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow {
                 configuredFor = authenticator.configuredFor(processor.getSession(), processor.getRealm(), authUser);
                 if (!configuredFor) {
                     if (model.isRequired()) {
-                        if (model.isUserSetupAllowed()) {
+                        if (factory.isUserSetupAllowed()) {
                             AuthenticationProcessor.logger.debugv("authenticator SETUP_REQUIRED: {0}", factory.getId());
                             processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SETUP_REQUIRED);
                             authenticator.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getClientSession().getAuthenticatedUser());

services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java

@@ -152,7 +152,8 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
                 executionStatus.put(formActionExecution.getId(), ClientSessionModel.ExecutionStatus.SKIPPED);
                 continue;
             }
-            FormAction action = processor.getSession().getProvider(FormAction.class, formActionExecution.getAuthenticator());
+            FormActionFactory factory = (FormActionFactory)processor.getSession().getKeycloakSessionFactory().getProviderFactory(FormAction.class, formActionExecution.getAuthenticator());
+            FormAction action = factory.create(processor.getSession());
 
             UserModel authUser = processor.getClientSession().getAuthenticatedUser();
             if (action.requiresUser() && authUser == null) {
@@ -163,7 +164,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
                 configuredFor = action.configuredFor(processor.getSession(), processor.getRealm(), authUser);
                 if (!configuredFor) {
                     if (formActionExecution.isRequired()) {
-                        if (formActionExecution.isUserSetupAllowed()) {
+                        if (factory.isUserSetupAllowed()) {
                             AuthenticationProcessor.logger.debugv("authenticator SETUP_REQUIRED: {0}", formExecution.getAuthenticator());
                             executionStatus.put(formActionExecution.getId(), ClientSessionModel.ExecutionStatus.SETUP_REQUIRED);
                             requiredActions.add(action);

services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticatorFactory.java

@@ -78,4 +78,10 @@ public class CookieAuthenticatorFactory implements AuthenticatorFactory {
     public List<ProviderConfigProperty> getConfigProperties() {
         return null;
     }
+
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
 }

services/src/main/java/org/keycloak/authentication/authenticators/browser/OTPFormAuthenticatorFactory.java

@@ -59,6 +59,11 @@ public class OTPFormAuthenticatorFactory implements AuthenticatorFactory {
         return false;
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return true;
+    }
+
     public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
             AuthenticationExecutionModel.Requirement.REQUIRED,
             AuthenticationExecutionModel.Requirement.OPTIONAL,

services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticatorFactory.java

@@ -84,4 +84,10 @@ public class SpnegoAuthenticatorFactory implements AuthenticatorFactory {
     public List<ProviderConfigProperty> getConfigProperties() {
         return null;
     }
+
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
 }

services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory.java

@@ -81,4 +81,10 @@ public class UsernamePasswordFormFactory implements AuthenticatorFactory {
     public List<ProviderConfigProperty> getConfigProperties() {
         return null;
     }
+
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
 }

services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateOTP.java

@@ -82,6 +82,12 @@ public class ValidateOTP extends AbstractDirectGrantAuthenticator {
 
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+
     @Override
     public String getDisplayType() {
         return "OTP";

services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidatePassword.java

@@ -73,6 +73,12 @@ public class ValidatePassword extends AbstractDirectGrantAuthenticator {
 
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+
     @Override
     public String getDisplayType() {
         return "Password";

services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java

@@ -103,6 +103,12 @@ public class ValidateUsername extends AbstractDirectGrantAuthenticator {
 
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+
     @Override
     public String getDisplayType() {
         return "Username Validation";

services/src/main/java/org/keycloak/authentication/forms/RegistrationPage.java

@@ -82,6 +82,11 @@ public class RegistrationPage implements FormAuthenticator, FormAuthenticatorFac
 
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
     @Override
     public void postInit(KeycloakSessionFactory factory) {
 

services/src/main/java/org/keycloak/authentication/forms/RegistrationPassword.java

@@ -105,6 +105,11 @@ public class RegistrationPassword implements FormAction, FormActionFactory {
 
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
     @Override
     public void close() {
 

services/src/main/java/org/keycloak/authentication/forms/RegistrationProfile.java

@@ -110,6 +110,12 @@ public class RegistrationProfile implements FormAction, FormActionFactory {
 
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+
     @Override
     public void close() {
 

services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java

@@ -158,6 +158,12 @@ public class RegistrationRecaptcha implements FormAction, FormActionFactory, Con
 
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+
     @Override
     public void close() {
 

services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java

@@ -149,6 +149,12 @@ public class RegistrationUserCreation implements FormAction, FormActionFactory {
 
     }
 
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+
     @Override
     public void close() {