libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Merge pull request #3628 from mposolda/master

Browse source 
KEYCLOAK-4058 Improve LDAPStorageMapper and remove LDAPStorageMapperB…
This commit is contained in:
Marek Posolda 2016-12-08 19:36:25 +01:00 committed by GitHub
commit 10064fdac9
29 changed files with 174 additions and 303 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java
View file

@ -152,7 +152,7 @@ public class LDAPStorageProvider implements UserStorageProvider,
List<ComponentModel> sortedMappers = sortMappersAsc(mappers);
for (ComponentModel mapperModel : sortedMappers) {
LDAPStorageMapper ldapMapper = getMapper(mapperModel);
proxied = ldapMapper.proxy(mapperModel, this, ldapObject, proxied, realm);
proxied = ldapMapper.proxy(ldapObject, proxied, realm);
}
return proxied;
@ -283,7 +283,7 @@ public class LDAPStorageProvider implements UserStorageProvider,
List<ComponentModel> sortedMappers = sortMappersAsc(mappers);
for (ComponentModel mapperModel : sortedMappers) {
LDAPStorageMapper ldapMapper = getMapper(mapperModel);
List<UserModel> users = ldapMapper.getGroupMembers(mapperModel, this, realm, group, firstResult, maxResults);
List<UserModel> users = ldapMapper.getGroupMembers(realm, group, firstResult, maxResults);
// Sufficient for now
if (users.size() > 0) {
@ -387,7 +387,7 @@ public class LDAPStorageProvider implements UserStorageProvider,
logger.tracef("Using mapper %s during import user from LDAP", mapperModel);
}
LDAPStorageMapper ldapMapper = getMapper(mapperModel);
ldapMapper.onImportUserFromLDAP(mapperModel, this, ldapUser, imported, realm, true);
ldapMapper.onImportUserFromLDAP(ldapUser, imported, realm, true);
}
String userDN = ldapUser.getDn().toString();
@ -469,7 +469,7 @@ public class LDAPStorageProvider implements UserStorageProvider,
logger.tracef("Using mapper %s during import user from LDAP", mapperModel);
}
LDAPStorageMapper ldapMapper = getMapper(mapperModel);
processed = processed || ldapMapper.onAuthenticationFailure(mapperModel, this, ldapUser, user, ae, realm);
processed = processed || ldapMapper.onAuthenticationFailure(ldapUser, user, ae, realm);
}
return processed;
}

6
federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java
View file

@ -360,12 +360,12 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
@Override
public void run(KeycloakSession session) {
LDAPStorageProvider ldapProvider = (LDAPStorageProvider)session.getProvider(UserStorageProvider.class, model);
RealmModel realm = session.realms().getRealm(realmId);
session.getProvider(UserStorageProvider.class, model);
List<ComponentModel> mappers = realm.getComponents(model.getId(), LDAPStorageMapper.class.getName());
for (ComponentModel mapperModel : mappers) {
LDAPStorageMapper ldapMapper = session.getProvider(LDAPStorageMapper.class, mapperModel);
SynchronizationResult syncResult = ldapMapper.syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
SynchronizationResult syncResult = ldapMapper.syncDataFromFederationProviderToKeycloak(realm);
if (syncResult.getAdded() > 0 || syncResult.getUpdated() > 0 || syncResult.getRemoved() > 0 || syncResult.getFailed() > 0) {
logger.infof("Sync of federation mapper '%s' finished. Status: %s", mapperModel.getName(), syncResult.toString());
}
@ -461,7 +461,7 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
List<ComponentModel> sortedMappers = ldapFedProvider.sortMappersDesc(federationMappers);
for (ComponentModel mapperModel : sortedMappers) {
LDAPStorageMapper ldapMapper = ldapFedProvider.getMapper(mapperModel);
ldapMapper.onImportUserFromLDAP(mapperModel, ldapFedProvider, ldapUser, currentUser, currentRealm, false);
ldapMapper.onImportUserFromLDAP(ldapUser, currentUser, currentRealm, false);
}
logger.debugf("Updated user from LDAP: %s", currentUser.getUsername());

2
federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java
View file

@ -64,7 +64,7 @@ public class LDAPUtils {
List<ComponentModel> sortedMappers = ldapProvider.sortMappersAsc(federationMappers);
for (ComponentModel mapperModel : sortedMappers) {
LDAPStorageMapper ldapMapper = ldapProvider.getMapper(mapperModel);
ldapMapper.onRegisterUserToLDAP(mapperModel, ldapProvider, ldapUser, user, realm);
ldapMapper.onRegisterUserToLDAP(ldapUser, user, realm);
}
LDAPUtils.computeAndSetDn(ldapConfig, ldapUser);

2
federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/query/internal/LDAPQuery.java
View file

@ -155,7 +155,7 @@ public class LDAPQuery {
List<ComponentModel> sortedMappers = ldapFedProvider.sortMappersAsc(mappers);
for (ComponentModel mapperModel : sortedMappers) {
LDAPStorageMapper fedMapper = ldapFedProvider.getMapper(mapperModel);
fedMapper.beforeLDAPQuery(mapperModel, this);
fedMapper.beforeLDAPQuery(this);
}
List<LDAPObject> result = new ArrayList<LDAPObject>();

52
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/AbstractLDAPStorageMapper.java
View file

@ -36,57 +36,35 @@ import java.util.List;
*
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public abstract class AbstractLDAPStorageMapper {
public abstract class AbstractLDAPStorageMapper implements LDAPStorageMapper {
protected final KeycloakSession session;
protected final ComponentModel mapperModel;
protected final LDAPStorageProvider ldapProvider;
protected final RealmModel realm;
public AbstractLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm) {
public AbstractLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider) {
this.mapperModel = mapperModel;
this.ldapProvider = ldapProvider;
this.realm = realm;
this.session = ldapProvider.getSession();
}
/**
* @see LDAPStorageMapper#syncDataFromFederationProviderToKeycloak(ComponentModel, LDAPStorageProvider, KeycloakSession, RealmModel)
*/
public SynchronizationResult syncDataFromFederationProviderToKeycloak() {
public SynchronizationResult syncDataFromFederationProviderToKeycloak(RealmModel realm) {
return new SynchronizationResult();
}
/**
* @see LDAPStorageMapper#syncDataFromKeycloakToFederationProvider(ComponentModel, LDAPStorageProvider, KeycloakSession, RealmModel)
*/
public SynchronizationResult syncDataFromKeycloakToFederationProvider() {
public SynchronizationResult syncDataFromKeycloakToFederationProvider(RealmModel realm) {
return new SynchronizationResult();
}
/**
* @see LDAPStorageMapper#beforeLDAPQuery(ComponentModel, LDAPQuery)
*/
public abstract void beforeLDAPQuery(LDAPQuery query);
/**
* @see LDAPStorageMapper#proxy(ComponentModel, LDAPStorageProvider, LDAPObject, UserModel, RealmModel)
*/
public abstract UserModel proxy(LDAPObject ldapUser, UserModel delegate);
/**
* @see LDAPStorageMapper#onRegisterUserToLDAP(ComponentModel, LDAPStorageProvider, LDAPObject, UserModel, RealmModel)
*/
public abstract void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser);
/**
* @see LDAPStorageMapper#onImportUserFromLDAP(ComponentModel, LDAPStorageProvider, LDAPObject, UserModel, RealmModel, boolean)
*/
public abstract void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, boolean isCreate);
public List<UserModel> getGroupMembers(GroupModel group, int firstResult, int maxResults) {
public List<UserModel> getGroupMembers(RealmModel realm, GroupModel group, int firstResult, int maxResults) {
return Collections.emptyList();
}
public boolean onAuthenticationFailure(LDAPObject ldapUser, UserModel user, AuthenticationException ldapException) {
public boolean onAuthenticationFailure(LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm) {
return false;
}
@ -96,11 +74,15 @@ public abstract class AbstractLDAPStorageMapper {
return Boolean.parseBoolean(paramm);
}
public LDAPStorageProvider getLdapProvider() {
return ldapProvider;
}
public RealmModel getRealm() {
return realm;
@Override
public void close() {
}
}

11
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/AbstractLDAPStorageMapperFactory.java
View file

@ -22,9 +22,7 @@ import org.keycloak.component.ComponentModel;
import org.keycloak.component.ComponentValidationException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.idm.UserFederationMapperSyncConfigRepresentation;
import org.keycloak.storage.ldap.LDAPStorageProvider;
import java.util.HashMap;
@ -52,10 +50,15 @@ public abstract class AbstractLDAPStorageMapperFactory implements LDAPStorageMap
@Override
public LDAPStorageMapper create(KeycloakSession session, ComponentModel model) {
return new LDAPStorageMapperBridge(this); }
// LDAPStorageProvider is in the session already as mappers are always called from it
String ldapProviderModelId = model.getParentId();
LDAPStorageProvider ldapProvider = (LDAPStorageProvider) session.getAttribute(ldapProviderModelId);
return createMapper(model, ldapProvider);
}
// Used just by LDAPFederationMapperBridge.
protected abstract AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm);
protected abstract AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider);
@Override
public void postInit(KeycloakSessionFactory factory) {

10
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/FullNameLDAPStorageMapper.java
View file

@ -43,12 +43,12 @@ public class FullNameLDAPStorageMapper extends AbstractLDAPStorageMapper {
public static final String WRITE_ONLY = "write.only";
public FullNameLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm) {
super(mapperModel, ldapProvider, realm);
public FullNameLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider) {
super(mapperModel, ldapProvider);
}
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, boolean isCreate) {
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
if (isWriteOnly()) {
return;
}
@ -72,7 +72,7 @@ public class FullNameLDAPStorageMapper extends AbstractLDAPStorageMapper {
}
@Override
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser) {
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser, RealmModel realm) {
String ldapFullNameAttrName = getLdapFullNameAttrName();
String fullName = getFullName(localUser.getFirstName(), localUser.getLastName());
ldapUser.setSingleAttribute(ldapFullNameAttrName, fullName);
@ -83,7 +83,7 @@ public class FullNameLDAPStorageMapper extends AbstractLDAPStorageMapper {
}
@Override
public UserModel proxy(LDAPObject ldapUser, UserModel delegate) {
public UserModel proxy(LDAPObject ldapUser, UserModel delegate, RealmModel realm) {
if (ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE && !isReadOnly()) {

4
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/FullNameLDAPStorageMapperFactory.java
View file

@ -114,7 +114,7 @@ public class FullNameLDAPStorageMapperFactory extends AbstractLDAPStorageMapperF
}
@Override
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm) {
return new FullNameLDAPStorageMapper(mapperModel, federationProvider, realm);
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider) {
return new FullNameLDAPStorageMapper(mapperModel, federationProvider);
}
}

22
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/HardcodedLDAPRoleStorageMapper.java
View file

@ -41,8 +41,8 @@ public class HardcodedLDAPRoleStorageMapper extends AbstractLDAPStorageMapper {
public static final String ROLE = "role";
public HardcodedLDAPRoleStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm) {
super(mapperModel, ldapProvider, realm);
public HardcodedLDAPRoleStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider) {
super(mapperModel, ldapProvider);
}
@Override
@ -50,14 +50,14 @@ public class HardcodedLDAPRoleStorageMapper extends AbstractLDAPStorageMapper {
}
@Override
public UserModel proxy(LDAPObject ldapUser, UserModel delegate) {
public UserModel proxy(LDAPObject ldapUser, UserModel delegate, RealmModel realm) {
return new UserModelDelegate(delegate) {
@Override
public Set<RoleModel> getRealmRoleMappings() {
Set<RoleModel> roles = super.getRealmRoleMappings();
RoleModel role = getRole();
RoleModel role = getRole(realm);
if (role != null && role.getContainer().equals(realm)) {
roles.add(role);
}
@ -69,7 +69,7 @@ public class HardcodedLDAPRoleStorageMapper extends AbstractLDAPStorageMapper {
public Set<RoleModel> getClientRoleMappings(ClientModel app) {
Set<RoleModel> roles = super.getClientRoleMappings(app);
RoleModel role = getRole();
RoleModel role = getRole(realm);
if (role != null && role.getContainer().equals(app)) {
roles.add(role);
}
@ -79,14 +79,14 @@ public class HardcodedLDAPRoleStorageMapper extends AbstractLDAPStorageMapper {
@Override
public boolean hasRole(RoleModel role) {
return super.hasRole(role) || role.equals(getRole());
return super.hasRole(role) || role.equals(getRole(realm));
}
@Override
public Set<RoleModel> getRoleMappings() {
Set<RoleModel> roles = super.getRoleMappings();
RoleModel role = getRole();
RoleModel role = getRole(realm);
if (role != null) {
roles.add(role);
}
@ -96,7 +96,7 @@ public class HardcodedLDAPRoleStorageMapper extends AbstractLDAPStorageMapper {
@Override
public void deleteRoleMapping(RoleModel role) {
if (role.equals(getRole())) {
if (role.equals(getRole(realm))) {
throw new ModelException("Not possible to delete role. It's hardcoded by LDAP mapper");
} else {
super.deleteRoleMapping(role);
@ -106,16 +106,16 @@ public class HardcodedLDAPRoleStorageMapper extends AbstractLDAPStorageMapper {
}
@Override
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser) {
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser, RealmModel realm) {
}
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, boolean isCreate) {
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
}
private RoleModel getRole() {
private RoleModel getRole(RealmModel realm) {
String roleName = mapperModel.getConfig().getFirst(HardcodedLDAPRoleStorageMapper.ROLE);
RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
if (role == null) {

4
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/HardcodedLDAPRoleStorageMapperFactory.java
View file

@ -72,7 +72,7 @@ public class HardcodedLDAPRoleStorageMapperFactory extends AbstractLDAPStorageMa
}
@Override
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm) {
return new HardcodedLDAPRoleStorageMapper(mapperModel, federationProvider, realm);
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider) {
return new HardcodedLDAPRoleStorageMapper(mapperModel, federationProvider);
}
}

39
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/LDAPStorageMapper.java
View file

@ -17,13 +17,10 @@
package org.keycloak.storage.ldap.mappers;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.provider.Provider;
import org.keycloak.storage.ldap.LDAPStorageProvider;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.user.SynchronizationResult;
@ -42,84 +39,66 @@ public interface LDAPStorageMapper extends Provider {
*
* Applicable just if sync is supported
*
* @param mapperModel
* @param provider
* @param session
* @param realm
*/
SynchronizationResult syncDataFromFederationProviderToKeycloak(ComponentModel mapperModel, LDAPStorageProvider provider, KeycloakSession session, RealmModel realm);
SynchronizationResult syncDataFromFederationProviderToKeycloak(RealmModel realm);
/**
* Sync data from Keycloak back to federated storage
*
* @param mapperModel
* @param provider
* @param session
* @param realm
*/
SynchronizationResult syncDataFromKeycloakToFederationProvider(ComponentModel mapperModel, LDAPStorageProvider provider, KeycloakSession session, RealmModel realm);
**/
SynchronizationResult syncDataFromKeycloakToFederationProvider(RealmModel realm);
/**
* Return empty list if doesn't support storing of groups
*/
List<UserModel> getGroupMembers(ComponentModel mapperModel, LDAPStorageProvider provider, RealmModel realm, GroupModel group, int firstResult, int maxResults);
List<UserModel> getGroupMembers(RealmModel realm, GroupModel group, int firstResult, int maxResults);
/**
* Called when importing user from LDAP to local keycloak DB.
*
* @param mapperModel
* @param ldapProvider
* @param ldapUser
* @param user
* @param realm
* @param isCreate true if we importing new user from LDAP. False if user already exists in Keycloak, but we are upgrading (syncing) it from LDAP
*/
void onImportUserFromLDAP(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate);
void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate);
/**
* Called when register new user to LDAP - just after user was created in Keycloak DB
*
* @param mapperModel
* @param ldapProvider
* @param ldapUser
* @param localUser
* @param realm
*/
void onRegisterUserToLDAP(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, LDAPObject ldapUser, UserModel localUser, RealmModel realm);
void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser, RealmModel realm);
/**
* Called when invoke proxy on LDAP federation provider
*
* @param mapperModel
* @param ldapProvider
* @param ldapUser
* @param delegate
* @param realm
* @return
*/
UserModel proxy(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, LDAPObject ldapUser, UserModel delegate, RealmModel realm);
UserModel proxy(LDAPObject ldapUser, UserModel delegate, RealmModel realm);
/**
* Called before LDAP Identity query for retrieve LDAP users was executed. It allows to change query somehow (add returning attributes from LDAP, change conditions etc)
*
* @param mapperModel
* @param query
*/
void beforeLDAPQuery(ComponentModel mapperModel, LDAPQuery query);
void beforeLDAPQuery(LDAPQuery query);
/**
* Called when LDAP authentication of specified user fails. If any mapper returns true from this method, AuthenticationException won't be rethrown!
*
* @param mapperModel
* @param ldapProvider
* @param realm
* @param user
* @param ldapUser
* @param ldapException
* @return true if mapper processed the AuthenticationException and did some actions based on that. In that case, AuthenticationException won't be rethrown!
*/
boolean onAuthenticationFailure(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm);
boolean onAuthenticationFailure(LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm);
}

98
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/LDAPStorageMapperBridge.java
View file

@ -1,98 +0,0 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.storage.ldap.mappers;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.storage.ldap.LDAPStorageProvider;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.user.SynchronizationResult;
import javax.naming.AuthenticationException;
import java.util.List;
/**
* Sufficient if mapper implementation is stateless and doesn't need to "close" any state
*
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class LDAPStorageMapperBridge implements LDAPStorageMapper {
private final AbstractLDAPStorageMapperFactory factory;
public LDAPStorageMapperBridge(AbstractLDAPStorageMapperFactory factory) {
this.factory = factory;
}
// Sync groups from LDAP to Keycloak DB
@Override
public SynchronizationResult syncDataFromFederationProviderToKeycloak(ComponentModel mapperModel, LDAPStorageProvider federationProvider, KeycloakSession session, RealmModel realm) {
return getDelegate(mapperModel, federationProvider, realm).syncDataFromFederationProviderToKeycloak();
}
@Override
public SynchronizationResult syncDataFromKeycloakToFederationProvider(ComponentModel mapperModel, LDAPStorageProvider federationProvider, KeycloakSession session, RealmModel realm) {
return getDelegate(mapperModel, federationProvider, realm).syncDataFromKeycloakToFederationProvider();
}
@Override
public void onImportUserFromLDAP(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
getDelegate(mapperModel, ldapProvider, realm).onImportUserFromLDAP(ldapUser, user, isCreate);
}
@Override
public void onRegisterUserToLDAP(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, LDAPObject ldapUser, UserModel localUser, RealmModel realm) {
getDelegate(mapperModel, ldapProvider, realm).onRegisterUserToLDAP(ldapUser, localUser);
}
@Override
public UserModel proxy(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, LDAPObject ldapUser, UserModel delegate, RealmModel realm) {
return getDelegate(mapperModel, ldapProvider, realm).proxy(ldapUser, delegate);
}
@Override
public void beforeLDAPQuery(ComponentModel mapperModel, LDAPQuery query) {
// Improve if needed
getDelegate(mapperModel, query.getLdapProvider(), null).beforeLDAPQuery(query);
}
@Override
public List<UserModel> getGroupMembers(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm, GroupModel group, int firstResult, int maxResults) {
return getDelegate(mapperModel, ldapProvider, realm).getGroupMembers(group, firstResult, maxResults);
}
@Override
public boolean onAuthenticationFailure(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm) {
return getDelegate(mapperModel, ldapProvider, realm).onAuthenticationFailure(ldapUser, user, ldapException);
}
private AbstractLDAPStorageMapper getDelegate(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm) {
LDAPStorageProvider ldapProvider = (LDAPStorageProvider) federationProvider;
return factory.createMapper(mapperModel, ldapProvider, realm);
}
@Override
public void close() {
}
}

10
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.java
View file

@ -81,12 +81,12 @@ public class UserAttributeLDAPStorageMapper extends AbstractLDAPStorageMapper {
public static final String ALWAYS_READ_VALUE_FROM_LDAP = "always.read.value.from.ldap";
public static final String IS_MANDATORY_IN_LDAP = "is.mandatory.in.ldap";
public UserAttributeLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm) {
super(mapperModel, ldapProvider, realm);
public UserAttributeLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider) {
super(mapperModel, ldapProvider);
}
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, boolean isCreate) {
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
String userModelAttrName = mapperModel.getConfig().getFirst(USER_MODEL_ATTRIBUTE);
String ldapAttrName = mapperModel.getConfig().getFirst(LDAP_ATTRIBUTE);
@ -113,7 +113,7 @@ public class UserAttributeLDAPStorageMapper extends AbstractLDAPStorageMapper {
}
@Override
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser) {
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser, RealmModel realm) {
String userModelAttrName = mapperModel.getConfig().getFirst(USER_MODEL_ATTRIBUTE);
String ldapAttrName = mapperModel.getConfig().getFirst(LDAP_ATTRIBUTE);
boolean isMandatoryInLdap = parseBooleanParameter(mapperModel, IS_MANDATORY_IN_LDAP);
@ -172,7 +172,7 @@ public class UserAttributeLDAPStorageMapper extends AbstractLDAPStorageMapper {
}
@Override
public UserModel proxy(final LDAPObject ldapUser, UserModel delegate) {
public UserModel proxy(final LDAPObject ldapUser, UserModel delegate, RealmModel realm) {
final String userModelAttrName = mapperModel.getConfig().getFirst(USER_MODEL_ATTRIBUTE);
final String ldapAttrName = mapperModel.getConfig().getFirst(LDAP_ATTRIBUTE);
boolean isAlwaysReadValueFromLDAP = parseBooleanParameter(mapperModel, ALWAYS_READ_VALUE_FROM_LDAP);

4
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapperFactory.java
View file

@ -95,8 +95,8 @@ public class UserAttributeLDAPStorageMapperFactory extends AbstractLDAPStorageMa
}
@Override
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm) {
return new UserAttributeLDAPStorageMapper(mapperModel, federationProvider, realm);
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider) {
return new UserAttributeLDAPStorageMapper(mapperModel, federationProvider);
}
@Override

9
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/MembershipType.java
View file

@ -68,8 +68,7 @@ public enum MembershipType {
}
@Override
public List<UserModel> getGroupMembers(GroupLDAPStorageMapper groupMapper, LDAPObject ldapGroup, int firstResult, int maxResults) {
RealmModel realm = groupMapper.getRealm();
public List<UserModel> getGroupMembers(RealmModel realm, GroupLDAPStorageMapper groupMapper, LDAPObject ldapGroup, int firstResult, int maxResults) {
LDAPStorageProvider ldapProvider = groupMapper.getLdapProvider();
CommonLDAPGroupMapperConfig config = groupMapper.getConfig();
@ -134,7 +133,7 @@ public enum MembershipType {
}
@Override
public List<UserModel> getGroupMembers(GroupLDAPStorageMapper groupMapper, LDAPObject ldapGroup, int firstResult, int maxResults) {
public List<UserModel> getGroupMembers(RealmModel realm, GroupLDAPStorageMapper groupMapper, LDAPObject ldapGroup, int firstResult, int maxResults) {
String memberAttrName = groupMapper.getConfig().getMembershipLdapAttribute();
Set<String> memberUids = LDAPUtils.getExistingMemberships(memberAttrName, ldapGroup);
@ -146,12 +145,12 @@ public enum MembershipType {
int max = Math.min(memberUids.size(), firstResult + maxResults);
uids = uids.subList(firstResult, max);
return groupMapper.getLdapProvider().loadUsersByUsernames(uids, groupMapper.getRealm());
return groupMapper.getLdapProvider().loadUsersByUsernames(uids, realm);
}
};
public abstract Set<LDAPDn> getLDAPSubgroups(GroupLDAPStorageMapper groupMapper, LDAPObject ldapGroup);
public abstract List<UserModel> getGroupMembers(GroupLDAPStorageMapper groupMapper, LDAPObject ldapGroup, int firstResult, int maxResults);
public abstract List<UserModel> getGroupMembers(RealmModel realm, GroupLDAPStorageMapper groupMapper, LDAPObject ldapGroup, int firstResult, int maxResults);
}

66
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java
View file

@ -64,8 +64,8 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
// Flag to avoid syncing multiple times per transaction
private boolean syncFromLDAPPerformedInThisTransaction = false;
public GroupLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm, GroupLDAPStorageMapperFactory factory) {
super(mapperModel, ldapProvider, realm);
public GroupLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, GroupLDAPStorageMapperFactory factory) {
super(mapperModel, ldapProvider);
this.config = new GroupMapperConfig(mapperModel);
this.factory = factory;
}
@ -139,7 +139,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
// Sync from Ldap to KC
@Override
public SynchronizationResult syncDataFromFederationProviderToKeycloak() {
public SynchronizationResult syncDataFromFederationProviderToKeycloak(RealmModel realm) {
SynchronizationResult syncResult = new SynchronizationResult() {
@Override
@ -176,7 +176,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
try {
List<GroupTreeResolver.GroupTreeEntry> groupTrees = new GroupTreeResolver().resolveGroupTree(ldapGroupsRep);
updateKeycloakGroupTree(groupTrees, ldapGroupsMap, syncResult);
updateKeycloakGroupTree(realm, groupTrees, ldapGroupsMap, syncResult);
} catch (GroupTreeResolver.GroupTreeResolveException gre) {
throw new ModelException("Couldn't resolve groups from LDAP. Fix LDAP or skip preserve inheritance. Details: " + gre.getMessage(), gre);
}
@ -203,7 +203,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
// Possibly remove keycloak groups, which doesn't exists in LDAP
if (config.isDropNonExistingGroupsDuringSync()) {
dropNonExistingKcGroups(syncResult, visitedGroupIds);
dropNonExistingKcGroups(realm, syncResult, visitedGroupIds);
}
}
@ -212,20 +212,20 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
return syncResult;
}
private void updateKeycloakGroupTree(List<GroupTreeResolver.GroupTreeEntry> groupTrees, Map<String, LDAPObject> ldapGroups, SynchronizationResult syncResult) {
private void updateKeycloakGroupTree(RealmModel realm, List<GroupTreeResolver.GroupTreeEntry> groupTrees, Map<String, LDAPObject> ldapGroups, SynchronizationResult syncResult) {
Set<String> visitedGroupIds = new HashSet<>();
for (GroupTreeResolver.GroupTreeEntry groupEntry : groupTrees) {
updateKeycloakGroupTreeEntry(groupEntry, ldapGroups, null, syncResult, visitedGroupIds);
updateKeycloakGroupTreeEntry(realm, groupEntry, ldapGroups, null, syncResult, visitedGroupIds);
}
// Possibly remove keycloak groups, which doesn't exists in LDAP
if (config.isDropNonExistingGroupsDuringSync()) {
dropNonExistingKcGroups(syncResult, visitedGroupIds);
dropNonExistingKcGroups(realm, syncResult, visitedGroupIds);
}
}
private void updateKeycloakGroupTreeEntry(GroupTreeResolver.GroupTreeEntry groupTreeEntry, Map<String, LDAPObject> ldapGroups, GroupModel kcParent, SynchronizationResult syncResult, Set<String> visitedGroupIds) {
private void updateKeycloakGroupTreeEntry(RealmModel realm, GroupTreeResolver.GroupTreeEntry groupTreeEntry, Map<String, LDAPObject> ldapGroups, GroupModel kcParent, SynchronizationResult syncResult, Set<String> visitedGroupIds) {
String groupName = groupTreeEntry.getGroupName();
// Check if group already exists
@ -259,11 +259,11 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
visitedGroupIds.add(kcGroup.getId());
for (GroupTreeResolver.GroupTreeEntry childEntry : groupTreeEntry.getChildren()) {
updateKeycloakGroupTreeEntry(childEntry, ldapGroups, kcGroup, syncResult, visitedGroupIds);
updateKeycloakGroupTreeEntry(realm, childEntry, ldapGroups, kcGroup, syncResult, visitedGroupIds);
}
}
private void dropNonExistingKcGroups(SynchronizationResult syncResult, Set<String> visitedGroupIds) {
private void dropNonExistingKcGroups(RealmModel realm, SynchronizationResult syncResult, Set<String> visitedGroupIds) {
// Remove keycloak groups, which doesn't exists in LDAP
List<GroupModel> allGroups = realm.getGroups();
for (GroupModel kcGroup : allGroups) {
@ -289,7 +289,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
}
protected GroupModel findKcGroupByLDAPGroup(LDAPObject ldapGroup) {
protected GroupModel findKcGroupByLDAPGroup(RealmModel realm, LDAPObject ldapGroup) {
String groupNameAttr = config.getGroupNameLdapAttribute();
String groupName = ldapGroup.getAttributeAsString(groupNameAttr);
@ -309,8 +309,8 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
}
}
protected GroupModel findKcGroupOrSyncFromLDAP(LDAPObject ldapGroup, UserModel user) {
GroupModel kcGroup = findKcGroupByLDAPGroup(ldapGroup);
protected GroupModel findKcGroupOrSyncFromLDAP(RealmModel realm, LDAPObject ldapGroup, UserModel user) {
GroupModel kcGroup = findKcGroupByLDAPGroup(realm, ldapGroup);
if (kcGroup == null) {
@ -318,8 +318,8 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
// Better to sync all groups from LDAP with preserved inheritance
if (!syncFromLDAPPerformedInThisTransaction) {
syncDataFromFederationProviderToKeycloak();
kcGroup = findKcGroupByLDAPGroup(ldapGroup);
syncDataFromFederationProviderToKeycloak(realm);
kcGroup = findKcGroupByLDAPGroup(realm, ldapGroup);
}
} else {
String groupNameAttr = config.getGroupNameLdapAttribute();
@ -348,8 +348,8 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
// Sync from Keycloak to LDAP
public SynchronizationResult syncDataFromKeycloakToFederationProvider() {
@Override
public SynchronizationResult syncDataFromKeycloakToFederationProvider(RealmModel realm) {
SynchronizationResult syncResult = new SynchronizationResult() {
@Override
@ -480,20 +480,20 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
@Override
public List<UserModel> getGroupMembers(GroupModel kcGroup, int firstResult, int maxResults) {
public List<UserModel> getGroupMembers(RealmModel realm, GroupModel kcGroup, int firstResult, int maxResults) {
LDAPObject ldapGroup = loadLDAPGroupByName(kcGroup.getName());
if (ldapGroup == null) {
return Collections.emptyList();
}
MembershipType membershipType = config.getMembershipTypeLdapAttribute();
return membershipType.getGroupMembers(this, ldapGroup, firstResult, maxResults);
return membershipType.getGroupMembers(realm, this, ldapGroup, firstResult, maxResults);
}
public void addGroupMappingInLDAP(String groupName, LDAPObject ldapUser) {
public void addGroupMappingInLDAP(RealmModel realm, String groupName, LDAPObject ldapUser) {
LDAPObject ldapGroup = loadLDAPGroupByName(groupName);
if (ldapGroup == null) {
syncDataFromKeycloakToFederationProvider();
syncDataFromKeycloakToFederationProvider(realm);
ldapGroup = loadLDAPGroupByName(groupName);
}
@ -510,27 +510,31 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
return strategy.getLDAPRoleMappings(this, ldapUser);
}
@Override
public void beforeLDAPQuery(LDAPQuery query) {
String strategyKey = config.getUserGroupsRetrieveStrategy();
UserRolesRetrieveStrategy strategy = factory.getUserGroupsRetrieveStrategy(strategyKey);
strategy.beforeUserLDAPQuery(query);
}
public UserModel proxy(LDAPObject ldapUser, UserModel delegate) {
@Override
public UserModel proxy(LDAPObject ldapUser, UserModel delegate, RealmModel realm) {
final LDAPGroupMapperMode mode = config.getMode();
// For IMPORT mode, all operations are performed against local DB
if (mode == LDAPGroupMapperMode.IMPORT) {
return delegate;
} else {
return new LDAPGroupMappingsUserDelegate(delegate, ldapUser);
return new LDAPGroupMappingsUserDelegate(realm, delegate, ldapUser);
}
}
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser) {
@Override
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser, RealmModel realm) {
}
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, boolean isCreate) {
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
LDAPGroupMapperMode mode = config.getMode();
// For now, import LDAP group mappings just during create
@ -541,7 +545,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
// Import role mappings from LDAP into Keycloak DB
for (LDAPObject ldapGroup : ldapGroups) {
GroupModel kcGroup = findKcGroupOrSyncFromLDAP(ldapGroup, user);
GroupModel kcGroup = findKcGroupOrSyncFromLDAP(realm, ldapGroup, user);
if (kcGroup != null) {
logger.debugf("User '%s' joins group '%s' during import from LDAP", user.getUsername(), kcGroup.getName());
user.joinGroup(kcGroup);
@ -553,13 +557,15 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
public class LDAPGroupMappingsUserDelegate extends UserModelDelegate {
private final RealmModel realm;
private final LDAPObject ldapUser;
// Avoid loading group mappings from LDAP more times per-request
private Set<GroupModel> cachedLDAPGroupMappings;
public LDAPGroupMappingsUserDelegate(UserModel user, LDAPObject ldapUser) {
public LDAPGroupMappingsUserDelegate(RealmModel realm, UserModel user, LDAPObject ldapUser) {
super(user);
this.realm = realm;
this.ldapUser = ldapUser;
}
@ -587,7 +593,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
if (config.getMode() == LDAPGroupMapperMode.LDAP_ONLY) {
// We need to create new role mappings in LDAP
cachedLDAPGroupMappings = null;
addGroupMappingInLDAP(group.getName(), ldapUser);
addGroupMappingInLDAP(realm, group.getName(), ldapUser);
} else {
super.joinGroup(group);
}
@ -635,7 +641,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
Set<GroupModel> result = new HashSet<>();
for (LDAPObject ldapGroup : ldapGroups) {
GroupModel kcGroup = findKcGroupOrSyncFromLDAP(ldapGroup, this);
GroupModel kcGroup = findKcGroupOrSyncFromLDAP(realm, ldapGroup, this);
if (kcGroup != null) {
result.add(kcGroup);
}

4
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapperFactory.java
View file

@ -200,8 +200,8 @@ public class GroupLDAPStorageMapperFactory extends AbstractLDAPStorageMapperFact
}
@Override
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm) {
return new GroupLDAPStorageMapper(mapperModel, federationProvider, realm, this);
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider) {
return new GroupLDAPStorageMapper(mapperModel, federationProvider, this);
}
protected UserRolesRetrieveStrategy getUserGroupsRetrieveStrategy(String strategyKey) {

30
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/role/RoleLDAPStorageMapper.java
View file

@ -58,8 +58,8 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
private final RoleMapperConfig config;
private final RoleLDAPStorageMapperFactory factory;
public RoleLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm, RoleLDAPStorageMapperFactory factory) {
super(mapperModel, ldapProvider, realm);
public RoleLDAPStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RoleLDAPStorageMapperFactory factory) {
super(mapperModel, ldapProvider);
this.config = new RoleMapperConfig(mapperModel);
this.factory = factory;
}
@ -77,7 +77,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, boolean isCreate) {
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
LDAPGroupMapperMode mode = config.getMode();
// For now, import LDAP role mappings just during create
@ -90,7 +90,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
for (LDAPObject ldapRole : ldapRoles) {
String roleName = ldapRole.getAttributeAsString(roleNameAttr);
RoleContainerModel roleContainer = getTargetRoleContainer();
RoleContainerModel roleContainer = getTargetRoleContainer(realm);
RoleModel role = roleContainer.getRole(roleName);
if (role == null) {
@ -104,13 +104,13 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
}
@Override
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser) {
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser, RealmModel realm) {
}
// Sync roles from LDAP to Keycloak DB
@Override
public SynchronizationResult syncDataFromFederationProviderToKeycloak() {
public SynchronizationResult syncDataFromFederationProviderToKeycloak(RealmModel realm) {
SynchronizationResult syncResult = new SynchronizationResult() {
@Override
@ -126,7 +126,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
LDAPQuery ldapRoleQuery = createRoleQuery();
List<LDAPObject> ldapRoles = LDAPUtils.loadAllLDAPObjects(ldapRoleQuery, ldapProvider);
RoleContainerModel roleContainer = getTargetRoleContainer();
RoleContainerModel roleContainer = getTargetRoleContainer(realm);
String rolesRdnAttr = config.getRoleNameLdapAttribute();
for (LDAPObject ldapRole : ldapRoles) {
String roleName = ldapRole.getAttributeAsString(rolesRdnAttr);
@ -146,7 +146,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
// Sync roles from Keycloak back to LDAP
@Override
public SynchronizationResult syncDataFromKeycloakToFederationProvider() {
public SynchronizationResult syncDataFromKeycloakToFederationProvider(RealmModel realm) {
SynchronizationResult syncResult = new SynchronizationResult() {
@Override
@ -175,7 +175,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
}
RoleContainerModel roleContainer = getTargetRoleContainer();
RoleContainerModel roleContainer = getTargetRoleContainer(realm);
Set<RoleModel> keycloakRoles = roleContainer.getRoles();
for (RoleModel keycloakRole : keycloakRoles) {
@ -220,7 +220,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
return ldapQuery;
}
protected RoleContainerModel getTargetRoleContainer() {
protected RoleContainerModel getTargetRoleContainer(RealmModel realm) {
boolean realmRolesMapping = config.isRealmRolesMapping();
if (realmRolesMapping) {
return realm;
@ -273,14 +273,14 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
}
@Override
public UserModel proxy(LDAPObject ldapUser, UserModel delegate) {
public UserModel proxy(LDAPObject ldapUser, UserModel delegate, RealmModel realm) {
final LDAPGroupMapperMode mode = config.getMode();
// For IMPORT mode, all operations are performed against local DB
if (mode == LDAPGroupMapperMode.IMPORT) {
return delegate;
} else {
return new LDAPRoleMappingsUserDelegate(delegate, ldapUser);
return new LDAPRoleMappingsUserDelegate(realm, delegate, ldapUser);
}
}
@ -295,16 +295,18 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
public class LDAPRoleMappingsUserDelegate extends UserModelDelegate {
private final RealmModel realm;
private final LDAPObject ldapUser;
private final RoleContainerModel roleContainer;
// Avoid loading role mappings from LDAP more times per-request
private Set<RoleModel> cachedLDAPRoleMappings;
public LDAPRoleMappingsUserDelegate(UserModel user, LDAPObject ldapUser) {
public LDAPRoleMappingsUserDelegate(RealmModel realm, UserModel user, LDAPObject ldapUser) {
super(user);
this.realm = realm;
this.ldapUser = ldapUser;
this.roleContainer = getTargetRoleContainer();
this.roleContainer = getTargetRoleContainer(realm);
}
@Override

4
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/role/RoleLDAPStorageMapperFactory.java
View file

@ -194,8 +194,8 @@ public class RoleLDAPStorageMapperFactory extends AbstractLDAPStorageMapperFacto
}
@Override
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm) {
return new RoleLDAPStorageMapper(mapperModel, federationProvider, realm, this);
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider) {
return new RoleLDAPStorageMapper(mapperModel, federationProvider, this);
}
protected UserRolesRetrieveStrategy getUserRolesRetrieveStrategy(String strategyKey) {

12
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
View file

@ -51,8 +51,8 @@ public class MSADUserAccountControlStorageMapper extends AbstractLDAPStorageMapp
private static final Pattern AUTH_EXCEPTION_REGEX = Pattern.compile(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*");
private static final Pattern AUTH_INVALID_NEW_PASSWORD = Pattern.compile(".*error code ([0-9a-f]+) .*WILL_NOT_PERFORM.*");
public MSADUserAccountControlStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm) {
super(mapperModel, ldapProvider, realm);
public MSADUserAccountControlStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider) {
super(mapperModel, ldapProvider);
ldapProvider.setUpdater(this);
}
@ -95,22 +95,22 @@ public class MSADUserAccountControlStorageMapper extends AbstractLDAPStorageMapp
}
@Override
public UserModel proxy(LDAPObject ldapUser, UserModel delegate) {
public UserModel proxy(LDAPObject ldapUser, UserModel delegate, RealmModel realm) {
return new MSADUserModelDelegate(delegate, ldapUser);
}
@Override
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser) {
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser, RealmModel realm) {
}
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, boolean isCreate) {
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
}
@Override
public boolean onAuthenticationFailure(LDAPObject ldapUser, UserModel user, AuthenticationException ldapException) {
public boolean onAuthenticationFailure(LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm) {
String exceptionMessage = ldapException.getMessage();
Matcher m = AUTH_EXCEPTION_REGEX.matcher(exceptionMessage);
if (m.matches()) {

4
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapperFactory.java
View file

@ -56,7 +56,7 @@ public class MSADUserAccountControlStorageMapperFactory extends AbstractLDAPStor
}
@Override
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm) {
return new MSADUserAccountControlStorageMapper(mapperModel, federationProvider, realm);
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider) {
return new MSADUserAccountControlStorageMapper(mapperModel, federationProvider);
}
}

12
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msadlds/MSADLDSUserAccountControlStorageMapper.java
View file

@ -52,8 +52,8 @@ public class MSADLDSUserAccountControlStorageMapper extends AbstractLDAPStorageM
private static final Pattern AUTH_EXCEPTION_REGEX = Pattern.compile(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*");
private static final Pattern AUTH_INVALID_NEW_PASSWORD = Pattern.compile("(?s).*problem 1005 \\(CONSTRAINT_ATT_TYPE\\), data [0-9a-f]*, Att 23 \\(userPassword\\).*");
public MSADLDSUserAccountControlStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm) {
super(mapperModel, ldapProvider, realm);
public MSADLDSUserAccountControlStorageMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider) {
super(mapperModel, ldapProvider);
ldapProvider.setUpdater(this);
}
@ -94,22 +94,22 @@ public class MSADLDSUserAccountControlStorageMapper extends AbstractLDAPStorageM
}
@Override
public UserModel proxy(LDAPObject ldapUser, UserModel delegate) {
public UserModel proxy(LDAPObject ldapUser, UserModel delegate, RealmModel realm) {
return new MSADUserModelDelegate(delegate, ldapUser);
}
@Override
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser) {
public void onRegisterUserToLDAP(LDAPObject ldapUser, UserModel localUser, RealmModel realm) {
}
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, boolean isCreate) {
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
}
@Override
public boolean onAuthenticationFailure(LDAPObject ldapUser, UserModel user, AuthenticationException ldapException) {
public boolean onAuthenticationFailure(LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm) {
String exceptionMessage = ldapException.getMessage();
Matcher m = AUTH_EXCEPTION_REGEX.matcher(exceptionMessage);
if (m.matches()) {

4
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msadlds/MSADLDSUserAccountControlStorageMapperFactory.java
View file

@ -57,7 +57,7 @@ public class MSADLDSUserAccountControlStorageMapperFactory extends AbstractLDAPS
}
@Override
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider, RealmModel realm) {
return new MSADLDSUserAccountControlStorageMapper(mapperModel, federationProvider, realm);
protected AbstractLDAPStorageMapper createMapper(ComponentModel mapperModel, LDAPStorageProvider federationProvider) {
return new MSADLDSUserAccountControlStorageMapper(mapperModel, federationProvider);
}
}

2
services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java
View file

@ -182,7 +182,7 @@ public class DefaultKeycloakSession implements KeycloakSession {
@Override
public <T extends Provider> T getProvider(Class<T> clazz, ComponentModel componentModel) {
String modelId = componentModel.getProviderType() + "::" + componentModel.getId();
String modelId = componentModel.getId();
Object found = getAttribute(modelId);
if (found != null) {

10
services/src/main/java/org/keycloak/services/resources/admin/UserStorageProviderResource.java
View file

@ -147,19 +147,17 @@ public class UserStorageProviderResource {
if (parentModel == null) throw new NotFoundException("Parent model not found");
ComponentModel mapperModel = realm.getComponent(mapperId);
if (mapperModel == null) throw new NotFoundException("Mapper model not found");
LDAPStorageMapper mapper = session.getProvider(LDAPStorageMapper.class, mapperModel);
ProviderFactory factory = session.getKeycloakSessionFactory().getProviderFactory(UserStorageProvider.class, parentModel.getProviderId());
LDAPStorageProviderFactory providerFactory = (LDAPStorageProviderFactory)factory;
LDAPStorageProvider federationProvider = providerFactory.create(session, parentModel);
LDAPStorageProvider ldapProvider = (LDAPStorageProvider) session.getProvider(UserStorageProvider.class, parentModel);
LDAPStorageMapper mapper = session.getProvider(LDAPStorageMapper.class, mapperModel);
ServicesLogger.LOGGER.syncingDataForMapper(mapperModel.getName(), mapperModel.getProviderId(), direction);
SynchronizationResult syncResult;
if ("fedToKeycloak".equals(direction)) {
syncResult = mapper.syncDataFromFederationProviderToKeycloak(mapperModel, federationProvider, session, realm);
syncResult = mapper.syncDataFromFederationProviderToKeycloak(realm);
} else if ("keycloakToFed".equals(direction)) {
syncResult = mapper.syncDataFromKeycloakToFederationProvider(mapperModel, federationProvider, session, realm);
syncResult = mapper.syncDataFromKeycloakToFederationProvider(realm);
} else {
throw new BadRequestException("Unknown direction: " + direction);
}

12
testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPGroupMapper2WaySyncTest.java
View file

@ -115,7 +115,7 @@ public class LDAPGroupMapper2WaySyncTest {
realm.updateComponent(mapperModel);
// Sync from Keycloak into LDAP
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromKeycloakToFederationProvider(mapperModel, ldapProvider, session, realm);
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromKeycloakToFederationProvider(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 4, 0, 0, 0);
} finally {
keycloakRule.stopSession(session, true);
@ -143,7 +143,7 @@ public class LDAPGroupMapper2WaySyncTest {
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
// Sync from LDAP back into Keycloak
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 4, 0, 0, 0);
// Assert groups are imported to keycloak. All are at top level
@ -179,7 +179,7 @@ public class LDAPGroupMapper2WaySyncTest {
realm.updateComponent(mapperModel);
// Sync from Keycloak into LDAP
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromKeycloakToFederationProvider(mapperModel, ldapProvider, session, realm);
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromKeycloakToFederationProvider(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 4, 0, 0, 0);
} finally {
keycloakRule.stopSession(session, true);
@ -207,7 +207,7 @@ public class LDAPGroupMapper2WaySyncTest {
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
// Sync from LDAP back into Keycloak
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 4, 0, 0, 0);
// Assert groups are imported to keycloak. All are at top level
@ -242,7 +242,7 @@ public class LDAPGroupMapper2WaySyncTest {
LDAPTestUtils.createLDAPGroup(session, realm, ldapModel, "group3");
// Sync and assert our group is still in LDAP
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromKeycloakToFederationProvider(mapperModel, ldapProvider, session, realm);
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromKeycloakToFederationProvider(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 0, 4, 0, 0);
Assert.assertNotNull(LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, realm).loadLDAPGroupByName("group3"));
@ -251,7 +251,7 @@ public class LDAPGroupMapper2WaySyncTest {
realm.updateComponent(mapperModel);
// Sync and assert group removed from LDAP
syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromKeycloakToFederationProvider(mapperModel, ldapProvider, session, realm);
syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromKeycloakToFederationProvider(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 0, 4, 1, 0);
Assert.assertNull(LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, realm).loadLDAPGroupByName("group3"));
}

16
testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPGroupMapperSyncTest.java
View file

@ -147,7 +147,7 @@ public class LDAPGroupMapperSyncTest {
LDAPUtils.addMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, group12, group1, true);
try {
new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
Assert.fail("Not expected group sync to pass");
} catch (ModelException expected) {
Assert.assertTrue(expected.getMessage().contains("Recursion detected"));
@ -157,7 +157,7 @@ public class LDAPGroupMapperSyncTest {
LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "false");
realm.updateComponent(mapperModel);
new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
// Assert groups are imported to keycloak. All are at top level
GroupModel kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1");
@ -206,7 +206,7 @@ public class LDAPGroupMapperSyncTest {
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, realm);
// Sync groups with inheritance
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 3, 0, 0, 0);
// Assert groups are imported to keycloak including their inheritance from LDAP
@ -232,7 +232,7 @@ public class LDAPGroupMapperSyncTest {
ldapProvider.getLdapIdentityStore().update(group12);
// Sync and assert groups updated
syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 0, 3, 0, 0);
// Assert attributes changed in keycloak
@ -254,7 +254,7 @@ public class LDAPGroupMapperSyncTest {
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
// Sync groups with inheritance
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 3, 0, 0, 0);
// Assert groups are imported to keycloak including their inheritance from LDAP
@ -271,7 +271,7 @@ public class LDAPGroupMapperSyncTest {
realm.moveGroup(model2, kcGroup1);
// Sync groups again from LDAP. Nothing deleted
syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
LDAPTestUtils.assertSyncEquals(syncResult, 0, 3, 0, 0);
Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/group11"));
@ -284,7 +284,7 @@ public class LDAPGroupMapperSyncTest {
realm.updateComponent(mapperModel);
// Sync groups again from LDAP. Assert LDAP non-existing groups deleted
syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm);
syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
Assert.assertEquals(3, syncResult.getUpdated());
Assert.assertTrue(syncResult.getRemoved() == 2);
@ -317,7 +317,7 @@ public class LDAPGroupMapperSyncTest {
LDAPTestUtils.removeAllLDAPUsers(ldapProvider, realm);
LDAPObject johnLdap = LDAPTestUtils.addLDAPUser(ldapProvider, realm, "johnkeycloak", "John", "Doe", "john@email.org", null, "1234");
LDAPTestUtils.updateLDAPPassword(ldapProvider, johnLdap, "Password1");
groupMapper.addGroupMappingInLDAP("group11", johnLdap);
groupMapper.addGroupMappingInLDAP(realm, "group11", johnLdap);
// Assert groups not yet imported to Keycloak DB
Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group1"));

12
testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPGroupMapperTest.java
View file

@ -103,7 +103,7 @@ public class LDAPGroupMapperTest {
// Sync LDAP groups to Keycloak DB
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm,ldapModel, "groupsMapper");
new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(mapperModel, ldapFedProvider, session, appRealm);
new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(appRealm);
// Delete all LDAP users
LDAPTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm);
@ -220,8 +220,8 @@ public class LDAPGroupMapperTest {
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm);
LDAPObject maryLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "marykeycloak");
groupMapper.addGroupMappingInLDAP("group1", maryLdap);
groupMapper.addGroupMappingInLDAP("group11", maryLdap);
groupMapper.addGroupMappingInLDAP(appRealm, "group1", maryLdap);
groupMapper.addGroupMappingInLDAP(appRealm, "group11", maryLdap);
// Add some group mapping to model
mary.joinGroup(group12);
@ -282,8 +282,8 @@ public class LDAPGroupMapperTest {
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm);
LDAPObject robLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "robkeycloak");
groupMapper.addGroupMappingInLDAP("group11", robLdap);
groupMapper.addGroupMappingInLDAP("group12", robLdap);
groupMapper.addGroupMappingInLDAP(appRealm, "group11", robLdap);
groupMapper.addGroupMappingInLDAP(appRealm, "group12", robLdap);
// Get user and check that he has requested groupa from LDAP
UserModel rob = session.users().getUserByUsername("robkeycloak", appRealm);
@ -349,7 +349,7 @@ public class LDAPGroupMapperTest {
LDAPUtils.addMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, group2, nonExistentLdapUser, true);
// 4 - Check group members. Just existing user rob should be present
groupMapper.syncDataFromFederationProviderToKeycloak();
groupMapper.syncDataFromFederationProviderToKeycloak(appRealm);
GroupModel kcGroup2 = KeycloakModelUtils.findGroupByPath(appRealm, "/group2");
List<UserModel> groupUsers = session.users().getGroupMembers(appRealm, kcGroup2, 0, 5);
Assert.assertEquals(1, groupUsers.size());

8
testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPTestUtils.java
View file

@ -238,11 +238,11 @@ public class LDAPTestUtils {
ComponentModel mapperModel = getSubcomponentByName(realm, providerModel, "realmRolesMapper");
RoleLDAPStorageMapper roleMapper = getRoleMapper(mapperModel, ldapProvider, realm);
roleMapper.syncDataFromFederationProviderToKeycloak();
roleMapper.syncDataFromFederationProviderToKeycloak(realm);
mapperModel = getSubcomponentByName(realm, providerModel, "financeRolesMapper");
roleMapper = getRoleMapper(mapperModel, ldapProvider, realm);
roleMapper.syncDataFromFederationProviderToKeycloak();
roleMapper.syncDataFromFederationProviderToKeycloak(realm);
}
public static void removeAllLDAPUsers(LDAPStorageProvider ldapProvider, RealmModel realm) {
@ -296,11 +296,11 @@ public class LDAPTestUtils {
}
public static GroupLDAPStorageMapper getGroupMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm) {
return new GroupLDAPStorageMapper(mapperModel, ldapProvider, realm, new GroupLDAPStorageMapperFactory());
return new GroupLDAPStorageMapper(mapperModel, ldapProvider, new GroupLDAPStorageMapperFactory());
}
public static RoleLDAPStorageMapper getRoleMapper(ComponentModel mapperModel, LDAPStorageProvider ldapProvider, RealmModel realm) {
return new RoleLDAPStorageMapper(mapperModel, ldapProvider, realm, new RoleLDAPStorageMapperFactory());
return new RoleLDAPStorageMapper(mapperModel, ldapProvider, new RoleLDAPStorageMapperFactory());
}