From 5f006b283a999a965adb7b712608b9d0978a9ae3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Couralet?= Date: Fri, 4 Oct 2019 16:28:02 +0200 Subject: [PATCH] KEYCLOAK-8316 Add an option to ldap provider to trust emails on import MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Cédric Couralet --- .../org/keycloak/storage/ldap/LDAPConfig.java | 6 +++ .../storage/ldap/LDAPStorageProvider.java | 5 ++- .../ldap/LDAPStorageProviderFactory.java | 4 ++ .../org/keycloak/models/LDAPConstants.java | 2 + .../ldap/LDAPProvidersIntegrationTest.java | 37 +++++++++++++++++++ .../messages/admin-messages_en.properties | 1 + .../resources/partials/user-storage-ldap.html | 7 ++++ 7 files changed, 60 insertions(+), 2 deletions(-) diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java index 1b938472f3..8cdce70f58 100644 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java @@ -22,6 +22,7 @@ import org.keycloak.models.LDAPConstants; import org.keycloak.storage.UserStorageProvider; import javax.naming.directory.SearchControls; + import java.util.Collection; import java.util.HashSet; import java.util.List; @@ -110,6 +111,11 @@ public class LDAPConfig { return Boolean.parseBoolean(validatePPolicy); } + public boolean isTrustEmail(){ + String trustEmail = config.getFirst(LDAPConstants.TRUST_EMAIL); + return Boolean.parseBoolean(trustEmail); + } + public String getConnectionPooling() { if(isStartTls()) { return null; diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java index 96bd444dc1..fe806c5c30 100755 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java @@ -524,8 +524,9 @@ public class LDAPStorageProvider implements UserStorageProvider, if (model.isImportEnabled()) imported.setFederationLink(model.getId()); imported.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid()); imported.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, userDN); - - + if(getLdapIdentityStore().getConfig().isTrustEmail()){ + imported.setEmailVerified(true); + } logger.debugf("Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", imported.getUsername(), imported.getEmail(), ldapUser.getUuid(), userDN); UserModel proxy = proxy(realm, imported, ldapUser); diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java index bbaad44712..82895646d3 100755 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java @@ -149,6 +149,10 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory { + LDAPTestContext ctx = LDAPTestContext.init(session); + ctx.getLdapModel().put(LDAPConstants.TRUST_EMAIL, "true"); + ctx.getRealm().updateComponent(ctx.getLdapModel()); + LDAPTestUtils.addLDAPUser(ctx.getLdapProvider(), ctx.getRealm(), "testUserVerified", "John", "Email", "john@test.com", null, "1234"); + }); + loginPage.open(); + loginPage.login("testuserVerified", "password"); + + testingClient.server().run(session -> { + RealmModel appRealm = session.realms().getRealmByName(TEST_REALM_NAME); + List userVerified = session.users().searchForUser("john@test.com", appRealm); + Assert.assertTrue(userVerified.get(0).isEmailVerified()); + }); + + //Test untrusted email option + testingClient.server().run(session -> { + LDAPTestContext ctx = LDAPTestContext.init(session); + ctx.getLdapModel().put(LDAPConstants.TRUST_EMAIL, "false"); + ctx.getRealm().updateComponent(ctx.getLdapModel()); + LDAPTestUtils.addLDAPUser(ctx.getLdapProvider(), ctx.getRealm(), "testUserNotVerified", "John", "Email", "john2@test.com", null, "1234"); + }); + + loginPage.open(); + loginPage.login("testuserNotVerified", "password"); + + testingClient.server().run(session -> { + RealmModel appRealm = session.realms().getRealmByName(TEST_REALM_NAME); + List userNotVerified = session.users().searchForUser("john2@test.com", appRealm); + Assert.assertFalse(userNotVerified.get(0).isEmailVerified()); + }); + } } diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties index a82d914bf9..3cb886fa91 100644 --- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties +++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties @@ -953,6 +953,7 @@ ldap.search-scope.tooltip=For one level, we search for users just in DNs specifi use-truststore-spi=Use Truststore SPI ldap.use-truststore-spi.tooltip=Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. 'Always' means that it will always use it. 'Never' means that it won't use it. 'Only for ldaps' means that it will use if your connection URL use ldaps. Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used. validate-password-policy=Validate Password Policy +trust-email=Trust Email connection-pooling=Connection Pooling connection-pooling-settings=Connection Pooling Settings connection-pooling-authentication=Connection Pooling Authentication diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/user-storage-ldap.html b/themes/src/main/resources/theme/base/admin/resources/partials/user-storage-ldap.html index 9a657f99ac..c57d10de94 100755 --- a/themes/src/main/resources/theme/base/admin/resources/partials/user-storage-ldap.html +++ b/themes/src/main/resources/theme/base/admin/resources/partials/user-storage-ldap.html @@ -191,6 +191,13 @@ {{:: 'ldap.validate-password-policy.tooltip' | translate}} +
+ +
+ +
+ {{:: 'trust-email.tooltip' | translate}} +