Hot Rod map storage: Login failure no-downtime store

This commit is contained in:
Martin Kanis 2022-03-25 13:33:30 +01:00 committed by Hynek Mlnařík
parent f57d0dd100
commit 395bd447f2
9 changed files with 137 additions and 2 deletions

View file

@ -27,15 +27,19 @@ import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RoleModel; import org.keycloak.models.RoleModel;
import org.keycloak.models.UserLoginFailureModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.map.authSession.MapAuthenticationSessionEntity; import org.keycloak.models.map.authSession.MapAuthenticationSessionEntity;
import org.keycloak.models.map.authSession.MapRootAuthenticationSessionEntity; import org.keycloak.models.map.authSession.MapRootAuthenticationSessionEntity;
import org.keycloak.models.map.clientscope.MapClientScopeEntity; import org.keycloak.models.map.clientscope.MapClientScopeEntity;
import org.keycloak.models.map.group.MapGroupEntity; import org.keycloak.models.map.group.MapGroupEntity;
import org.keycloak.models.map.loginFailure.MapUserLoginFailureEntity;
import org.keycloak.models.map.role.MapRoleEntity; import org.keycloak.models.map.role.MapRoleEntity;
import org.keycloak.models.map.storage.hotRod.authSession.HotRodAuthenticationSessionEntityDelegate; import org.keycloak.models.map.storage.hotRod.authSession.HotRodAuthenticationSessionEntityDelegate;
import org.keycloak.models.map.storage.hotRod.authSession.HotRodRootAuthenticationSessionEntity; import org.keycloak.models.map.storage.hotRod.authSession.HotRodRootAuthenticationSessionEntity;
import org.keycloak.models.map.storage.hotRod.authSession.HotRodRootAuthenticationSessionEntityDelegate; import org.keycloak.models.map.storage.hotRod.authSession.HotRodRootAuthenticationSessionEntityDelegate;
import org.keycloak.models.map.storage.hotRod.loginFailure.HotRodUserLoginFailureEntity;
import org.keycloak.models.map.storage.hotRod.loginFailure.HotRodUserLoginFailureEntityDelegate;
import org.keycloak.models.map.storage.hotRod.role.HotRodRoleEntity; import org.keycloak.models.map.storage.hotRod.role.HotRodRoleEntity;
import org.keycloak.models.map.storage.hotRod.role.HotRodRoleEntityDelegate; import org.keycloak.models.map.storage.hotRod.role.HotRodRoleEntityDelegate;
import org.keycloak.models.map.storage.hotRod.client.HotRodClientEntity; import org.keycloak.models.map.storage.hotRod.client.HotRodClientEntity;
@ -84,6 +88,7 @@ public class HotRodMapStorageProviderFactory implements AmphibianProviderFactory
.constructor(MapUserCredentialEntity.class, HotRodUserCredentialEntityDelegate::new) .constructor(MapUserCredentialEntity.class, HotRodUserCredentialEntityDelegate::new)
.constructor(MapUserFederatedIdentityEntity.class, HotRodUserFederatedIdentityEntityDelegate::new) .constructor(MapUserFederatedIdentityEntity.class, HotRodUserFederatedIdentityEntityDelegate::new)
.constructor(MapUserConsentEntity.class, HotRodUserConsentEntityDelegate::new) .constructor(MapUserConsentEntity.class, HotRodUserConsentEntityDelegate::new)
.constructor(MapUserLoginFailureEntity.class, HotRodUserLoginFailureEntityDelegate::new)
.build(); .build();
public static final Map<Class<?>, HotRodEntityDescriptor<?, ?>> ENTITY_DESCRIPTOR_MAP = new HashMap<>(); public static final Map<Class<?>, HotRodEntityDescriptor<?, ?>> ENTITY_DESCRIPTOR_MAP = new HashMap<>();
@ -122,6 +127,12 @@ public class HotRodMapStorageProviderFactory implements AmphibianProviderFactory
new HotRodEntityDescriptor<>(UserModel.class, new HotRodEntityDescriptor<>(UserModel.class,
HotRodUserEntity.class, HotRodUserEntity.class,
HotRodUserEntityDelegate::new)); HotRodUserEntityDelegate::new));
// Login failure descriptor
ENTITY_DESCRIPTOR_MAP.put(UserLoginFailureModel.class,
new HotRodEntityDescriptor<>(UserLoginFailureModel.class,
HotRodUserLoginFailureEntity.class,
HotRodUserLoginFailureEntityDelegate::new));
} }
@Override @Override

View file

@ -26,6 +26,7 @@ import org.keycloak.models.map.storage.hotRod.client.HotRodClientEntity;
import org.keycloak.models.map.storage.hotRod.client.HotRodProtocolMapperEntity; import org.keycloak.models.map.storage.hotRod.client.HotRodProtocolMapperEntity;
import org.keycloak.models.map.storage.hotRod.clientscope.HotRodClientScopeEntity; import org.keycloak.models.map.storage.hotRod.clientscope.HotRodClientScopeEntity;
import org.keycloak.models.map.storage.hotRod.group.HotRodGroupEntity; import org.keycloak.models.map.storage.hotRod.group.HotRodGroupEntity;
import org.keycloak.models.map.storage.hotRod.loginFailure.HotRodUserLoginFailureEntity;
import org.keycloak.models.map.storage.hotRod.role.HotRodRoleEntity; import org.keycloak.models.map.storage.hotRod.role.HotRodRoleEntity;
import org.keycloak.models.map.storage.hotRod.user.HotRodUserConsentEntity; import org.keycloak.models.map.storage.hotRod.user.HotRodUserConsentEntity;
import org.keycloak.models.map.storage.hotRod.user.HotRodUserCredentialEntity; import org.keycloak.models.map.storage.hotRod.user.HotRodUserCredentialEntity;
@ -61,6 +62,9 @@ import org.keycloak.models.map.storage.hotRod.user.HotRodUserFederatedIdentityEn
HotRodUserCredentialEntity.class, HotRodUserCredentialEntity.class,
HotRodUserFederatedIdentityEntity.class, HotRodUserFederatedIdentityEntity.class,
// Login Failures
HotRodUserLoginFailureEntity.class,
// Common // Common
HotRodPair.class, HotRodPair.class,
HotRodAttributeEntity.class, HotRodAttributeEntity.class,

View file

@ -0,0 +1,95 @@
/*
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models.map.storage.hotRod.loginFailure;
import org.infinispan.protostream.annotations.ProtoDoc;
import org.infinispan.protostream.annotations.ProtoField;
import org.keycloak.models.map.annotations.GenerateHotRodEntityImplementation;
import org.keycloak.models.map.loginFailure.MapUserLoginFailureEntity;
import org.keycloak.models.map.storage.hotRod.common.AbstractHotRodEntity;
import org.keycloak.models.map.storage.hotRod.common.UpdatableHotRodEntityDelegateImpl;
@GenerateHotRodEntityImplementation(
implementInterface = "org.keycloak.models.map.loginFailure.MapUserLoginFailureEntity",
inherits = "org.keycloak.models.map.storage.hotRod.loginFailure.HotRodUserLoginFailureEntity.AbstractHotRodUserLoginFailureEntityDelegate"
)
@ProtoDoc("@Indexed")
public class HotRodUserLoginFailureEntity extends AbstractHotRodEntity {
@ProtoField(number = 1, required = true)
public int entityVersion = 1;
@ProtoField(number = 2, required = true)
public String id;
@ProtoDoc("@Field(index = Index.YES, store = Store.YES)")
@ProtoField(number = 3)
public String realmId;
@ProtoDoc("@Field(index = Index.YES, store = Store.YES)")
@ProtoField(number = 4)
public String userId;
@ProtoField(number = 5)
public Integer failedLoginNotBefore;
@ProtoField(number = 6)
public Integer numFailures;
@ProtoField(number = 7)
public Long lastFailure;
@ProtoField(number = 8)
public String lastIPFailure;
public static abstract class AbstractHotRodUserLoginFailureEntityDelegate extends UpdatableHotRodEntityDelegateImpl<HotRodUserLoginFailureEntity> implements MapUserLoginFailureEntity {
@Override
public String getId() {
return getHotRodEntity().id;
}
@Override
public void setId(String id) {
HotRodUserLoginFailureEntity entity = getHotRodEntity();
if (entity.id != null) throw new IllegalStateException("Id cannot be changed");
entity.id = id;
entity.updated |= id != null;
}
@Override
public void clearFailures() {
HotRodUserLoginFailureEntity entity = getHotRodEntity();
entity.updated |= getFailedLoginNotBefore() != null || getNumFailures() != null || getLastFailure() != null || getLastIPFailure() != null;
setFailedLoginNotBefore(null);
setNumFailures(null);
setLastFailure(null);
setLastIPFailure(null);
}
}
@Override
public boolean equals(Object o) {
return HotRodUserLoginFailureEntityDelegate.entityEquals(this, o);
}
@Override
public int hashCode() {
return HotRodUserLoginFailureEntityDelegate.entityHashCode(this);
}
}

View file

@ -54,5 +54,13 @@
</indexing> </indexing>
<encoding media-type="application/x-protostream"/> <encoding media-type="application/x-protostream"/>
</distributed-cache> </distributed-cache>
<distributed-cache name="user-login-failures" mode="SYNC">
<indexing>
<indexed-entities>
<indexed-entity>kc.HotRodUserLoginFailureEntity</indexed-entity>
</indexed-entities>
</indexing>
<encoding media-type="application/x-protostream"/>
</distributed-cache>
</cache-container> </cache-container>
</infinispan> </infinispan>

View file

@ -56,5 +56,13 @@
</indexing> </indexing>
<encoding media-type="application/x-protostream"/> <encoding media-type="application/x-protostream"/>
</distributed-cache> </distributed-cache>
<distributed-cache name="user-login-failures" mode="SYNC">
<indexing>
<indexed-entities>
<indexed-entity>kc.HotRodUserLoginFailureEntity</indexed-entity>
</indexed-entities>
</indexing>
<encoding media-type="application/x-protostream"/>
</distributed-cache>
</cache-container> </cache-container>
</infinispan> </infinispan>

View file

@ -266,7 +266,7 @@
"username": "${keycloak.connectionsHotRod.username:myuser}", "username": "${keycloak.connectionsHotRod.username:myuser}",
"password": "${keycloak.connectionsHotRod.password:qwer1234!}", "password": "${keycloak.connectionsHotRod.password:qwer1234!}",
"enableSecurity": "${keycloak.connectionsHotRod.enableSecurity:true}", "enableSecurity": "${keycloak.connectionsHotRod.enableSecurity:true}",
"reindexCaches": "${keycloak.connectionsHotRod.reindexCaches:auth-sessions,clients,client-scopes,groups,users,roles}" "reindexCaches": "${keycloak.connectionsHotRod.reindexCaches:auth-sessions,clients,client-scopes,groups,users,user-login-failures,roles}"
} }
}, },

View file

@ -1502,6 +1502,7 @@
<keycloak.group.map.storage.provider>hotrod</keycloak.group.map.storage.provider> <keycloak.group.map.storage.provider>hotrod</keycloak.group.map.storage.provider>
<keycloak.role.map.storage.provider>hotrod</keycloak.role.map.storage.provider> <keycloak.role.map.storage.provider>hotrod</keycloak.role.map.storage.provider>
<keycloak.user.map.storage.provider>hotrod</keycloak.user.map.storage.provider> <keycloak.user.map.storage.provider>hotrod</keycloak.user.map.storage.provider>
<keycloak.loginFailure.map.storage.provider>hotrod</keycloak.loginFailure.map.storage.provider>
</systemPropertyVariables> </systemPropertyVariables>
</configuration> </configuration>
</plugin> </plugin>

View file

@ -52,5 +52,13 @@
</indexing> </indexing>
<encoding media-type="application/x-protostream"/> <encoding media-type="application/x-protostream"/>
</distributed-cache> </distributed-cache>
<distributed-cache name="user-login-failures" mode="SYNC">
<indexing>
<indexed-entities>
<indexed-entity>kc.HotRodUserLoginFailureEntity</indexed-entity>
</indexed-entities>
</indexing>
<encoding media-type="application/x-protostream"/>
</distributed-cache>
</cache-container> </cache-container>
</infinispan> </infinispan>

View file

@ -83,7 +83,7 @@ public class HotRodMapStorage extends KeycloakModelParameters {
.spi("user").provider(MapUserProviderFactory.PROVIDER_ID).config(STORAGE_CONFIG, HotRodMapStorageProviderFactory.PROVIDER_ID) .spi("user").provider(MapUserProviderFactory.PROVIDER_ID).config(STORAGE_CONFIG, HotRodMapStorageProviderFactory.PROVIDER_ID)
.spi(UserSessionSpi.NAME).provider(MapUserSessionProviderFactory.PROVIDER_ID).config("storage-user-sessions.provider", ConcurrentHashMapStorageProviderFactory.PROVIDER_ID) .spi(UserSessionSpi.NAME).provider(MapUserSessionProviderFactory.PROVIDER_ID).config("storage-user-sessions.provider", ConcurrentHashMapStorageProviderFactory.PROVIDER_ID)
.config("storage-client-sessions.provider", ConcurrentHashMapStorageProviderFactory.PROVIDER_ID) .config("storage-client-sessions.provider", ConcurrentHashMapStorageProviderFactory.PROVIDER_ID)
.spi(UserLoginFailureSpi.NAME).provider(MapUserLoginFailureProviderFactory.PROVIDER_ID).config(STORAGE_CONFIG, ConcurrentHashMapStorageProviderFactory.PROVIDER_ID) .spi(UserLoginFailureSpi.NAME).provider(MapUserLoginFailureProviderFactory.PROVIDER_ID).config(STORAGE_CONFIG, HotRodMapStorageProviderFactory.PROVIDER_ID)
.spi("dblock").provider(NoLockingDBLockProviderFactory.PROVIDER_ID).config(STORAGE_CONFIG, ConcurrentHashMapStorageProviderFactory.PROVIDER_ID); .spi("dblock").provider(NoLockingDBLockProviderFactory.PROVIDER_ID).config(STORAGE_CONFIG, ConcurrentHashMapStorageProviderFactory.PROVIDER_ID);
cf.spi(MapStorageSpi.NAME) cf.spi(MapStorageSpi.NAME)