fix: accounting for the possibility of null flows from existing realms

closes: #23980

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
This commit is contained in:
Steve Hawkins 2024-03-06 12:47:19 -05:00 committed by Marek Posolda
parent 7695532011
commit 4091baf4c2
5 changed files with 64 additions and 35 deletions

View file

@ -1288,38 +1288,35 @@ public class DefaultExportImportManager implements ExportImportManager {
}
public static Map<String, String> importAuthenticationFlows(KeycloakSession session, RealmModel newRealm, RealmRepresentation rep) {
Map<String, String> mappedFlows = new HashMap<>();
if (rep.getAuthenticationFlows() == null) {
// assume this is an old version being imported
DefaultAuthenticationFlows.migrateFlows(newRealm);
} else {
if (rep.getAuthenticatorConfig() != null) {
for (AuthenticatorConfigRepresentation configRep : rep.getAuthenticatorConfig()) {
if (configRep.getAlias() == null) {
// this can happen only during import json files from keycloak 3.4.0 and older
throw new IllegalStateException("Provided realm contains authenticator config with null alias. "
+ "It should be resolved by adding alias to the authenticator config before exporting the realm.");
}
AuthenticatorConfigModel model = RepresentationToModel.toModel(configRep);
newRealm.addAuthenticatorConfig(model);
if (rep.getAuthenticatorConfig() != null) {
for (AuthenticatorConfigRepresentation configRep : rep.getAuthenticatorConfig()) {
if (configRep.getAlias() == null) {
// this can happen only during import json files from keycloak 3.4.0 and older
throw new IllegalStateException("Provided realm contains authenticator config with null alias. "
+ "It should be resolved by adding alias to the authenticator config before exporting the realm.");
}
AuthenticatorConfigModel model = RepresentationToModel.toModel(configRep);
newRealm.addAuthenticatorConfig(model);
}
if (rep.getAuthenticationFlows() != null) {
for (AuthenticationFlowRepresentation flowRep : rep.getAuthenticationFlows()) {
AuthenticationFlowModel model = RepresentationToModel.toModel(flowRep);
String previousId = model.getId();
model = newRealm.addAuthenticationFlow(model);
// store the mapped ids so that clients can reference the correct flow when importing the authenticationFlowBindingOverrides
mappedFlows.put(previousId, model.getId());
}
for (AuthenticationFlowRepresentation flowRep : rep.getAuthenticationFlows()) {
AuthenticationFlowModel model = newRealm.getFlowByAlias(flowRep.getAlias());
for (AuthenticationExecutionExportRepresentation exeRep : flowRep.getAuthenticationExecutions()) {
AuthenticationExecutionModel execution = toModel(session, newRealm, model, exeRep);
newRealm.addAuthenticatorExecution(execution);
}
}
if (rep.getAuthenticationFlows() != null) {
for (AuthenticationFlowRepresentation flowRep : rep.getAuthenticationFlows()) {
AuthenticationFlowModel model = RepresentationToModel.toModel(flowRep);
String previousId = model.getId();
model = newRealm.addAuthenticationFlow(model);
// store the mapped ids so that clients can reference the correct flow when importing the authenticationFlowBindingOverrides
mappedFlows.put(previousId, model.getId());
}
for (AuthenticationFlowRepresentation flowRep : rep.getAuthenticationFlows()) {
AuthenticationFlowModel model = newRealm.getFlowByAlias(flowRep.getAlias());
for (AuthenticationExecutionExportRepresentation exeRep : flowRep.getAuthenticationExecutions()) {
AuthenticationExecutionModel execution = toModel(session, newRealm, model, exeRep);
newRealm.addAuthenticatorExecution(execution);
}
}
}
DefaultAuthenticationFlows.migrateFlows(newRealm);
if (rep.getBrowserFlow() == null) {
AuthenticationFlowModel defaultFlow = newRealm.getFlowByAlias(DefaultAuthenticationFlows.BROWSER_FLOW);
if (defaultFlow != null) {

View file

@ -43,7 +43,7 @@ public class AuthenticationMapper {
final List<String> useAsDefault = Stream.of(realm.getBrowserFlow(), realm.getRegistrationFlow(), realm.getDirectGrantFlow(),
realm.getResetCredentialsFlow(), realm.getClientAuthenticationFlow(), realm.getDockerAuthenticationFlow(), realm.getFirstBrokerLoginFlow())
.filter(f -> flow.getAlias().equals(f.getAlias())).map(AuthenticationFlowModel::getAlias).collect(Collectors.toList());
.filter(f -> f != null && flow.getAlias().equals(f.getAlias())).map(AuthenticationFlowModel::getAlias).collect(Collectors.toList());
if (!useAsDefault.isEmpty()) {
authentication.setUsedBy(new UsedBy(UsedBy.UsedByType.DEFAULT, useAsDefault));

View file

@ -605,13 +605,15 @@ public class DefaultAuthenticationFlows {
if (browserFlow == null) {
browserFlow = realm.getFlowByAlias(DefaultAuthenticationFlows.BROWSER_FLOW);
}
List<AuthenticationExecutionModel> browserExecutions = new LinkedList<>();
KeycloakModelUtils.deepFindAuthenticationExecutions(realm, browserFlow, browserExecutions);
for (AuthenticationExecutionModel browserExecution : browserExecutions) {
if (browserExecution.isAuthenticatorFlow()){
if (realm.getAuthenticationExecutionsStream(browserExecution.getFlowId())
.anyMatch(e -> e.getAuthenticator().equals("auth-otp-form"))){
execution.setRequirement(browserExecution.getRequirement());
if (browserFlow != null) {
List<AuthenticationExecutionModel> browserExecutions = new LinkedList<>();
KeycloakModelUtils.deepFindAuthenticationExecutions(realm, browserFlow, browserExecutions);
for (AuthenticationExecutionModel browserExecution : browserExecutions) {
if (browserExecution.isAuthenticatorFlow()){
if (realm.getAuthenticationExecutionsStream(browserExecution.getFlowId())
.anyMatch(e -> e.getAuthenticator().equals("auth-otp-form"))){
execution.setRequirement(browserExecution.getRequirement());
}
}
}
}

View file

@ -257,6 +257,13 @@ public class ExportImportTest extends AbstractKeycloakTest {
addTestRealmToTestRealmReps("import-without-clients");
}
@Test
public void testImportFromRealmWithPartialAuthenticationFlows() {
// import a realm with no built-in authentication flows
importRealmFromFile("/import/partial-authentication-flows-import.json");
Assert.assertTrue("Imported realm hasn't been found!", isRealmPresent("partial-authentication-flows-import"));
}
@Test
public void testImportWithNullAuthenticatorConfigAndNoDefaultBrowserFlow() {
importRealmFromFile("/import/testrealm-authenticator-config-null.json");

View file

@ -0,0 +1,23 @@
{
"enabled": true,
"realm": "partial-authentication-flows-import",
"authenticationFlows": [
{
"alias": "X.509 browser",
"description": "Browser-based authentication",
"providerId": "basic-flow",
"topLevel": true,
"builtIn": false,
"authenticationExecutions": [
{
"requirement": "ALTERNATIVE",
"priority": 10,
"authenticator": "auth-cookie",
"authenticatorFlow": false,
"autheticatorFlow": false,
"userSetupAllowed": false
}
]
}
]
}