Merge pull request #824 from mposolda/master
KEYCLOAK-808 Issue when DB search is case-sensitive byt LDAP search is n...
This commit is contained in:
Marek Posolda
commit
39686d5d4e
2 changed files with 45 additions and 1 deletions
|
|
@ -211,6 +211,12 @@ public class LDAPFederationProvider implements UserFederationProvider {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// KEYCLOAK-808: Should we allow case-sensitivity to be configurable?
|
||||||
|
if (!username.equals(picketlinkUser.getLoginName())) {
|
||||||
|
logger.warnf("User found in LDAP but with different username. LDAP username: %s, Searched username: %s", username, picketlinkUser.getLoginName());
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
return importUserFromPicketlink(realm, picketlinkUser);
|
return importUserFromPicketlink(realm, picketlinkUser);
|
||||||
} catch (IdentityManagementException ie) {
|
} catch (IdentityManagementException ie) {
|
||||||
throw convertIDMException(ie);
|
throw convertIDMException(ie);
|
||||||
|
|
@ -223,6 +229,11 @@ public class LDAPFederationProvider implements UserFederationProvider {
|
||||||
|
|
||||||
protected UserModel importUserFromPicketlink(RealmModel realm, User picketlinkUser) {
|
protected UserModel importUserFromPicketlink(RealmModel realm, User picketlinkUser) {
|
||||||
String email = (picketlinkUser.getEmail() != null && picketlinkUser.getEmail().trim().length() > 0) ? picketlinkUser.getEmail() : null;
|
String email = (picketlinkUser.getEmail() != null && picketlinkUser.getEmail().trim().length() > 0) ? picketlinkUser.getEmail() : null;
|
||||||
|
|
||||||
|
if (picketlinkUser.getLoginName() == null) {
|
||||||
|
throw new ModelException("User returned from LDAP has null username! Check configuration of your LDAP mappings. ID of user from LDAP: " + picketlinkUser.getId());
|
||||||
|
}
|
||||||
|
|
||||||
UserModel imported = session.userStorage().addUser(realm, picketlinkUser.getLoginName());
|
UserModel imported = session.userStorage().addUser(realm, picketlinkUser.getLoginName());
|
||||||
imported.setEnabled(true);
|
imported.setEnabled(true);
|
||||||
imported.setEmail(email);
|
imported.setEmail(email);
|
||||||
|
|
@ -247,6 +258,13 @@ public class LDAPFederationProvider implements UserFederationProvider {
|
||||||
if (picketlinkUser == null) {
|
if (picketlinkUser == null) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// KEYCLOAK-808: Should we allow case-sensitivity to be configurable?
|
||||||
|
if (!email.equals(picketlinkUser.getEmail())) {
|
||||||
|
logger.warnf("User found in LDAP but with different email. LDAP email: %s, Searched email: %s", email, picketlinkUser.getEmail());
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
return importUserFromPicketlink(realm, picketlinkUser);
|
return importUserFromPicketlink(realm, picketlinkUser);
|
||||||
} catch (IdentityManagementException ie) {
|
} catch (IdentityManagementException ie) {
|
||||||
throw convertIDMException(ie);
|
throw convertIDMException(ie);
|
||||||
|
|
|
||||||
|
|
@ -147,6 +147,15 @@ public class FederationProvidersIntegrationTest {
|
||||||
Assert.assertEquals("john@email.org", profilePage.getEmail());
|
Assert.assertEquals("john@email.org", profilePage.getEmail());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void loginLdapWithEmail() {
|
||||||
|
loginPage.open();
|
||||||
|
loginPage.login("john@email.org", "Password1");
|
||||||
|
|
||||||
|
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||||
|
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void XdeleteLink() {
|
public void XdeleteLink() {
|
||||||
loginLdap();
|
loginLdap();
|
||||||
|
|
@ -200,6 +209,11 @@ public class FederationProvidersIntegrationTest {
|
||||||
loginPage.open();
|
loginPage.open();
|
||||||
loginPage.login("johnkeycloak", "New-password1");
|
loginPage.login("johnkeycloak", "New-password1");
|
||||||
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||||
|
|
||||||
|
// Change password back to previous value
|
||||||
|
changePasswordPage.open();
|
||||||
|
changePasswordPage.changePassword("New-password1", "Password1", "Password1");
|
||||||
|
Assert.assertEquals("Your password has been updated", profilePage.getSuccess());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
@ -370,7 +384,7 @@ public class FederationProvidersIntegrationTest {
|
||||||
Assert.assertTrue(session.users().validCredentials(appRealm, user, cred));
|
Assert.assertTrue(session.users().validCredentials(appRealm, user, cred));
|
||||||
|
|
||||||
// LDAP password is still unchanged
|
// LDAP password is still unchanged
|
||||||
Assert.assertTrue(LDAPUtils.validatePassword(getPartitionManager(session, model), "johnkeycloak", "New-password1"));
|
Assert.assertTrue(LDAPUtils.validatePassword(getPartitionManager(session, model), "johnkeycloak", "Password1"));
|
||||||
|
|
||||||
// ATM it's not permitted to delete user in unsynced mode. Should be user deleted just locally instead?
|
// ATM it's not permitted to delete user in unsynced mode. Should be user deleted just locally instead?
|
||||||
Assert.assertFalse(session.users().removeUser(appRealm, user));
|
Assert.assertFalse(session.users().removeUser(appRealm, user));
|
||||||
|
|
@ -387,6 +401,18 @@ public class FederationProvidersIntegrationTest {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCaseSensitiveSearch() {
|
||||||
|
loginPage.open();
|
||||||
|
|
||||||
|
// This should fail for now due to case-sensitivity
|
||||||
|
loginPage.login("johnKeycloak", "Password1");
|
||||||
|
Assert.assertEquals("Invalid username or password.", loginPage.getError());
|
||||||
|
|
||||||
|
loginPage.login("John@email.org", "Password1");
|
||||||
|
Assert.assertEquals("Invalid username or password.", loginPage.getError());
|
||||||
|
}
|
||||||
|
|
||||||
static PartitionManager getPartitionManager(KeycloakSession keycloakSession, UserFederationProviderModel ldapFedModel) {
|
static PartitionManager getPartitionManager(KeycloakSession keycloakSession, UserFederationProviderModel ldapFedModel) {
|
||||||
PartitionManagerProvider partitionManagerProvider = keycloakSession.getProvider(PartitionManagerProvider.class);
|
PartitionManagerProvider partitionManagerProvider = keycloakSession.getProvider(PartitionManagerProvider.class);
|
||||||
return partitionManagerProvider.getPartitionManager(ldapFedModel);
|
return partitionManagerProvider.getPartitionManager(ldapFedModel);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue