libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

cred refactor

Browse source
This commit is contained in:
Bill Burke 2016-09-06 08:55:47 -04:00
parent 561661d726
commit 6714c1a136
35 changed files with 1781 additions and 342 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

102
common/src/main/java/org/keycloak/common/util/ConcurrentMultivaluedHashMap.java Executable file
View file

@ -0,0 +1,102 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.common.util;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
@SuppressWarnings("serial")
public class ConcurrentMultivaluedHashMap<K, V> extends ConcurrentHashMap<K, List<V>>
{
public void putSingle(K key, V value)
{
List<V> list = new CopyOnWriteArrayList<>();
list.add(value);
put(key, list);
}
public void addAll(K key, V... newValues)
{
for (V value : newValues)
{
add(key, value);
}
}
public void addAll(K key, List<V> valueList)
{
for (V value : valueList)
{
add(key, value);
}
}
public void addFirst(K key, V value)
{
List<V> list = get(key);
if (list == null)
{
add(key, value);
}
else
{
list.add(0, value);
}
}
public final void add(K key, V value)
{
getList(key).add(value);
}
public final void addMultiple(K key, Collection<V> values)
{
getList(key).addAll(values);
}
public V getFirst(K key)
{
List<V> list = get(key);
return list == null ? null : list.get(0);
}
public final List<V> getList(K key)
{
List<V> list = get(key);
if (list == null)
put(key, list = new CopyOnWriteArrayList<V>());
return list;
}
public void addAll(ConcurrentMultivaluedHashMap<K, V> other)
{
for (Entry<K, List<V>> entry : other.entrySet())
{
getList(entry.getKey()).addAll(entry.getValue());
}
}
}

16
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/InfinispanCacheUserProviderFactory.java → model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/InfinispanUserCacheProviderFactory.java vendored
View file

@ -18,34 +18,28 @@
package org.keycloak.models.cache.infinispan; package org.keycloak.models.cache.infinispan;
import org.infinispan.Cache; import org.infinispan.Cache;
import org.infinispan.notifications.Listener;
import org.infinispan.notifications.cachelistener.annotation.*;
import org.infinispan.notifications.cachelistener.event.*;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.Config; import org.keycloak.Config;
import org.keycloak.connections.infinispan.InfinispanConnectionProvider; import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.cache.CacheUserProvider; import org.keycloak.models.cache.UserCache;
import org.keycloak.models.cache.CacheUserProviderFactory; import org.keycloak.models.cache.UserCacheProviderFactory;
import org.keycloak.models.cache.infinispan.entities.CachedUser;
import org.keycloak.models.cache.infinispan.entities.Revisioned; import org.keycloak.models.cache.infinispan.entities.Revisioned;
import java.util.concurrent.ConcurrentHashMap;
/** /**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a> * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/ */
public class InfinispanCacheUserProviderFactory implements CacheUserProviderFactory { public class InfinispanUserCacheProviderFactory implements UserCacheProviderFactory {
private static final Logger log = Logger.getLogger(InfinispanCacheUserProviderFactory.class); private static final Logger log = Logger.getLogger(InfinispanUserCacheProviderFactory.class);
protected volatile UserCacheManager userCache; protected volatile UserCacheManager userCache;
@Override @Override
public CacheUserProvider create(KeycloakSession session) { public UserCache create(KeycloakSession session) {
lazyInit(session); lazyInit(session);
return new UserCacheSession(userCache, session); return new UserCacheSession(userCache, session);
} }

20
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java vendored
View file

@ -28,6 +28,7 @@ import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel; import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.infinispan.entities.CachedUser; import org.keycloak.models.cache.infinispan.entities.CachedUser;
import org.keycloak.models.cache.infinispan.entities.CachedUserConsent; import org.keycloak.models.cache.infinispan.entities.CachedUserConsent;
import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.KeycloakModelUtils;
@ -39,12 +40,13 @@ import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
/** /**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class UserAdapter implements UserModel { public class UserAdapter implements CachedUserModel {
protected UserModel updated; protected UserModel updated;
protected CachedUser cached; protected CachedUser cached;
protected UserCacheSession userProviderCache; protected UserCacheSession userProviderCache;
@ -65,6 +67,22 @@ public class UserAdapter implements UserModel {
if (updated == null) throw new IllegalStateException("Not found in database"); if (updated == null) throw new IllegalStateException("Not found in database");
} }
} }
@Override
public void invalidate() {
getDelegateForUpdate();
}
@Override
public long getCacheTimestamp() {
return cached.getCacheTimestamp();
}
@Override
public ConcurrentHashMap getCachedWith() {
return cached.getCachedWith();
}
@Override @Override
public String getId() { public String getId() {
if (updated != null) return updated.getId(); if (updated != null) return updated.getId();

98
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java vendored
View file

@ -20,7 +20,6 @@ package org.keycloak.models.cache.infinispan;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.common.constants.ServiceAccountConstants; import org.keycloak.common.constants.ServiceAccountConstants;
import org.keycloak.component.ComponentModel; import org.keycloak.component.ComponentModel;
import org.keycloak.credential.CredentialInput;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.CredentialValidationOutput; import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.FederatedIdentityModel;
@ -35,7 +34,9 @@ import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserFederationProviderModel; import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider; import org.keycloak.models.UserProvider;
import org.keycloak.models.cache.CacheUserProvider; import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.OnUserCache;
import org.keycloak.models.cache.UserCache;
import org.keycloak.models.cache.infinispan.entities.CachedFederatedIdentityLinks; import org.keycloak.models.cache.infinispan.entities.CachedFederatedIdentityLinks;
import org.keycloak.models.cache.infinispan.entities.CachedUser; import org.keycloak.models.cache.infinispan.entities.CachedUser;
import org.keycloak.models.cache.infinispan.entities.CachedUserConsent; import org.keycloak.models.cache.infinispan.entities.CachedUserConsent;
@ -48,7 +49,7 @@ import java.util.*;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class UserCacheSession implements CacheUserProvider { public class UserCacheSession implements UserCache {
protected static final Logger logger = Logger.getLogger(UserCacheSession.class); protected static final Logger logger = Logger.getLogger(UserCacheSession.class);
protected UserCacheManager cache; protected UserCacheManager cache;
protected KeycloakSession session; protected KeycloakSession session;
@ -74,7 +75,6 @@ public class UserCacheSession implements CacheUserProvider {
cache.clear(); cache.clear();
} }
@Override
public UserProvider getDelegate() { public UserProvider getDelegate() {
if (!transactionActive) throw new IllegalStateException("Cannot access delegate without a transaction"); if (!transactionActive) throw new IllegalStateException("Cannot access delegate without a transaction");
if (delegate != null) return delegate; if (delegate != null) return delegate;
@ -90,6 +90,20 @@ public class UserCacheSession implements CacheUserProvider {
if (realm.isIdentityFederationEnabled()) invalidations.add(getFederatedIdentityLinksCacheKey(user.getId())); if (realm.isIdentityFederationEnabled()) invalidations.add(getFederatedIdentityLinksCacheKey(user.getId()));
} }
@Override
public void evict(RealmModel realm, UserModel user) {
if (user instanceof CachedUserModel) {
((CachedUserModel)user).invalidate();
} else {
invalidations.add(user.getId());
if (user.getEmail() != null) invalidations.add(getUserByEmailCacheKey(realm.getId(), user.getEmail()));
invalidations.add(getUserByUsernameCacheKey(realm.getId(), user.getUsername()));
if (realm.isIdentityFederationEnabled()) invalidations.add(getFederatedIdentityLinksCacheKey(user.getId()));
}
}
protected void runInvalidations() { protected void runInvalidations() {
for (String realmId : realmInvalidations) { for (String realmId : realmInvalidations) {
cache.invalidateRealmUsers(realmId, invalidations); cache.invalidateRealmUsers(realmId, invalidations);
@ -148,8 +162,13 @@ public class UserCacheSession implements CacheUserProvider {
logger.trace("registered for invalidation return delegate"); logger.trace("registered for invalidation return delegate");
return getDelegate().getUserById(id, realm); return getDelegate().getUserById(id, realm);
} }
if (managedUsers.containsKey(id)) {
logger.trace("return managedusers");
return managedUsers.get(id);
}
CachedUser cached = cache.get(id, CachedUser.class); CachedUser cached = cache.get(id, CachedUser.class);
boolean wasCached = cached != null;
if (cached == null) { if (cached == null) {
logger.trace("not cached"); logger.trace("not cached");
Long loaded = cache.getCurrentRevision(id); Long loaded = cache.getCurrentRevision(id);
@ -158,19 +177,12 @@ public class UserCacheSession implements CacheUserProvider {
logger.trace("delegate returning null"); logger.trace("delegate returning null");
return null; return null;
} }
if (managedUsers.containsKey(id)) {
logger.trace("return managedusers");
return managedUsers.get(id);
}
if (invalidations.contains(id)) return model;
cached = new CachedUser(loaded, realm, model); cached = new CachedUser(loaded, realm, model);
cache.addRevisioned(cached, startupRevision); cache.addRevisioned(cached, startupRevision);
} else if (managedUsers.containsKey(id)) {
logger.trace("return managedusers");
return managedUsers.get(id);
} }
logger.trace("returning new cache adapter"); logger.trace("returning new cache adapter");
UserAdapter adapter = new UserAdapter(cached, this, session, realm); UserAdapter adapter = new UserAdapter(cached, this, session, realm);
if (!wasCached) onCache(realm, adapter);
managedUsers.put(id, adapter); managedUsers.put(id, adapter);
return adapter; return adapter;
} }
@ -224,13 +236,7 @@ public class UserCacheSession implements CacheUserProvider {
return managedUsers.get(userId); return managedUsers.get(userId);
} }
CachedUser cached = cache.get(userId, CachedUser.class); UserAdapter adapter = getUserAdapter(realm, userId, loaded, model);
if (cached == null) {
cached = new CachedUser(loaded, realm, model);
cache.addRevisioned(cached, startupRevision);
}
logger.trace("return new cache adapter");
UserAdapter adapter = new UserAdapter(cached, this, session, realm);
managedUsers.put(userId, adapter); managedUsers.put(userId, adapter);
return adapter; return adapter;
} else { } else {
@ -245,6 +251,26 @@ public class UserCacheSession implements CacheUserProvider {
} }
} }
protected UserAdapter getUserAdapter(RealmModel realm, String userId, Long loaded, UserModel model) {
CachedUser cached = cache.get(userId, CachedUser.class);
boolean wasCached = cached != null;
if (cached == null) {
cached = new CachedUser(loaded, realm, model);
cache.addRevisioned(cached, startupRevision);
}
UserAdapter adapter = new UserAdapter(cached, this, session, realm);
if (!wasCached) {
onCache(realm, adapter);
}
return adapter;
}
private void onCache(RealmModel realm, UserAdapter adapter) {
((OnUserCache)getDelegate()).onCache(realm, adapter);
((OnUserCache)session.userCredentialManager()).onCache(realm, adapter);
}
@Override @Override
public UserModel getUserByEmail(String email, RealmModel realm) { public UserModel getUserByEmail(String email, RealmModel realm) {
if (email == null) return null; if (email == null) return null;
@ -269,12 +295,7 @@ public class UserCacheSession implements CacheUserProvider {
if (invalidations.contains(userId)) return model; if (invalidations.contains(userId)) return model;
if (managedUsers.containsKey(userId)) return managedUsers.get(userId); if (managedUsers.containsKey(userId)) return managedUsers.get(userId);
CachedUser cached = cache.get(userId, CachedUser.class); UserAdapter adapter = getUserAdapter(realm, userId, loaded, model);
if (cached == null) {
cached = new CachedUser(loaded, realm, model);
cache.addRevisioned(cached, startupRevision);
}
UserAdapter adapter = new UserAdapter(cached, this, session, realm);
managedUsers.put(userId, adapter); managedUsers.put(userId, adapter);
return adapter; return adapter;
} else { } else {
@ -317,12 +338,7 @@ public class UserCacheSession implements CacheUserProvider {
if (invalidations.contains(userId)) return model; if (invalidations.contains(userId)) return model;
if (managedUsers.containsKey(userId)) return managedUsers.get(userId); if (managedUsers.containsKey(userId)) return managedUsers.get(userId);
CachedUser cached = cache.get(userId, CachedUser.class); UserAdapter adapter = getUserAdapter(realm, userId, loaded, model);
if (cached == null) {
cached = new CachedUser(loaded, realm, model);
cache.addRevisioned(cached, startupRevision);
}
UserAdapter adapter = new UserAdapter(cached, this, session, realm);
managedUsers.put(userId, adapter); managedUsers.put(userId, adapter);
return adapter; return adapter;
} else { } else {
@ -671,24 +687,4 @@ public class UserCacheSession implements CacheUserProvider {
} }
@Override
public boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs) {
return getDelegate().isValid(realm, user, inputs);
}
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
getDelegate().updateCredential(realm, user, input);
}
@Override
public boolean isConfiguredFor(RealmModel realm, UserModel user, String type) {
return getDelegate().isConfiguredFor(realm, user, type);
}
@Override
public Set<String> requiredActionsFor(RealmModel realm, UserModel user, String type) {
return getDelegate().requiredActionsFor(realm, user, type);
}
} }

40
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/AbstractExtendableRevisioned.java vendored Normal file
View file

@ -0,0 +1,40 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models.cache.infinispan.entities;
import java.util.concurrent.ConcurrentHashMap;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public abstract class AbstractExtendableRevisioned extends AbstractRevisioned {
protected ConcurrentHashMap cachedWith = new ConcurrentHashMap();
public AbstractExtendableRevisioned(Long revision, String id) {
super(revision, id);
}
/**
* Cache things along with this cachable object
*
* @return
*/
public ConcurrentHashMap getCachedWith() {
return cachedWith;
}
}

9
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/AbstractRevisioned.java vendored
View file

@ -9,6 +9,7 @@ import java.io.Serializable;
public class AbstractRevisioned implements Revisioned, Serializable { public class AbstractRevisioned implements Revisioned, Serializable {
private String id; private String id;
private Long revision; private Long revision;
private final long cacheTimestamp = System.currentTimeMillis();
public AbstractRevisioned(Long revision, String id) { public AbstractRevisioned(Long revision, String id) {
this.revision = revision; this.revision = revision;
@ -30,4 +31,12 @@ public class AbstractRevisioned implements Revisioned, Serializable {
this.revision = revision; this.revision = revision;
} }
/**
* When was this cached
*
* @return
*/
public long getCacheTimestamp() {
return cacheTimestamp;
}
} }

2
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedUser.java vendored
View file

@ -36,7 +36,7 @@ import java.util.Set;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class CachedUser extends AbstractRevisioned implements InRealm { public class CachedUser extends AbstractExtendableRevisioned implements InRealm {
private String realm; private String realm;
private String username; private String username;
private Long createdTimestamp; private Long createdTimestamp;

2
model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.cache.CacheUserProviderFactory → model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.cache.UserCacheProviderFactory
View file

@ -15,4 +15,4 @@
# limitations under the License. # limitations under the License.
# #
org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory org.keycloak.models.cache.infinispan.InfinispanUserCacheProviderFactory

27
model/infinispan/src/test/java/org/keycloak/models/sessions/infinispan/initializer/ClusteredCacheBehaviorTest.java
View file

@ -101,14 +101,19 @@ public class ClusteredCacheBehaviorTest {
System.out.println("node1 create entry"); System.out.println("node1 create entry");
node1Cache.put("key", "node1"); node1Cache.put("key", "node1");
System.out.println("node1 create entry"); System.out.println("node1 create entry");
node1Cache.put("key", "node111"); node1Cache.put("key", "node111");
System.out.println("node2 create entry"); System.out.println("node2 create entry");
node2Cache.put("key", "node2"); node2Cache.put("key", "node2");
System.out.println("node1 remove entry"); System.out.println("node1 remove entry");
node1Cache.remove("key"); node1Cache.remove("key");
System.out.println("node2 remove entry"); System.out.println("node2 remove entry");
node2Cache.remove("key"); node2Cache.remove("key");
System.out.println("node2 put entry"); System.out.println("node2 put entry");
node2Cache.put("key", "node2"); node2Cache.put("key", "node2");
System.out.println("node2 evict entry"); System.out.println("node2 evict entry");
@ -118,6 +123,28 @@ public class ClusteredCacheBehaviorTest {
node2Cache.putForExternalRead("key", "common"); node2Cache.putForExternalRead("key", "common");
System.out.println("node2 remove entry"); System.out.println("node2 remove entry");
node2Cache.remove("key"); node2Cache.remove("key");
System.out.println("node1 remove entry");
node1Cache.remove("key");
// test remove non-existing node 2, existing node 1
System.out.println("Test non existent remove");
System.out.println("node1 create entry");
node1Cache.put("key", "value");
System.out.println("node2 remove non-existent entry");
System.out.println("exists?: " + node2Cache.containsKey("key"));
node2Cache.remove("key");
// test clear
System.out.println("Test clear cache");
System.out.println("add key to node 1, key2 to node2");
node1Cache.putForExternalRead("key", "value");
node2Cache.putForExternalRead("key", "value");
node2Cache.putForExternalRead("key2", "value");
System.out.println("Clear from node1");
node1Cache.clear();
System.out.println("node 2 exists key2?: " + node2Cache.containsKey("key2"));
System.out.println("node 2 exists key?: " + node2Cache.containsKey("key"));
} }

220
model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserCredentialStore.java Normal file
View file

@ -0,0 +1,220 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models.jpa;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.UserCredentialStore;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.jpa.entities.CredentialAttributeEntity;
import org.keycloak.models.jpa.entities.CredentialEntity;
import org.keycloak.models.jpa.entities.UserEntity;
import org.keycloak.models.utils.KeycloakModelUtils;
import javax.persistence.EntityManager;
import javax.persistence.TypedQuery;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class JpaUserCredentialStore implements UserCredentialStore {
private final KeycloakSession session;
protected final EntityManager em;
public JpaUserCredentialStore(KeycloakSession session, EntityManager em) {
this.session = session;
this.em = em;
}
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialModel cred) {
CredentialEntity entity = em.find(CredentialEntity.class, cred.getId());
if (entity == null) return;
entity.setAlgorithm(cred.getAlgorithm());
entity.setCounter(cred.getCounter());
entity.setCreatedDate(cred.getCreatedDate());
entity.setDevice(cred.getDevice());
entity.setDigits(cred.getDigits());
entity.setHashIterations(cred.getHashIterations());
entity.setPeriod(cred.getPeriod());
entity.setSalt(cred.getSalt());
entity.setType(cred.getType());
entity.setValue(cred.getValue());
if (entity.getCredentialAttributes().isEmpty() && (cred.getConfig() == null || cred.getConfig().isEmpty())) {
} else {
MultivaluedHashMap<String, String> attrs = cred.getConfig();
MultivaluedHashMap<String, String> config = cred.getConfig();
if (config == null) config = new MultivaluedHashMap<>();
Iterator<CredentialAttributeEntity> it = entity.getCredentialAttributes().iterator();
while (it.hasNext()) {
CredentialAttributeEntity attr = it.next();
List<String> values = config.getList(attr.getName());
if (values == null || !values.contains(attr.getValue())) {
em.remove(attr);
it.remove();
} else {
attrs.add(attr.getName(), attr.getValue());
}
}
for (String key : config.keySet()) {
List<String> values = config.getList(key);
List<String> attrValues = attrs.getList(key);
for (String val : values) {
if (attrValues == null || !attrValues.contains(val)) {
CredentialAttributeEntity attr = new CredentialAttributeEntity();
attr.setId(KeycloakModelUtils.generateId());
attr.setValue(val);
attr.setName(key);
attr.setCredential(entity);
em.persist(attr);
entity.getCredentialAttributes().add(attr);
}
}
}
}
}
@Override
public CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred) {
CredentialEntity entity = new CredentialEntity();
String id = cred.getId() == null ? KeycloakModelUtils.generateId() : cred.getId();
entity.setId(id);
entity.setAlgorithm(cred.getAlgorithm());
entity.setCounter(cred.getCounter());
entity.setCreatedDate(cred.getCreatedDate());
entity.setDevice(cred.getDevice());
entity.setDigits(cred.getDigits());
entity.setHashIterations(cred.getHashIterations());
entity.setPeriod(cred.getPeriod());
entity.setSalt(cred.getSalt());
entity.setType(cred.getType());
entity.setValue(cred.getValue());
UserEntity userRef = em.getReference(UserEntity.class, user.getId());
entity.setUser(userRef);
em.persist(entity);
MultivaluedHashMap<String, String> config = cred.getConfig();
if (config != null || !config.isEmpty()) {
for (String key : config.keySet()) {
List<String> values = config.getList(key);
for (String val : values) {
CredentialAttributeEntity attr = new CredentialAttributeEntity();
attr.setId(KeycloakModelUtils.generateId());
attr.setValue(val);
attr.setName(key);
attr.setCredential(entity);
em.persist(attr);
entity.getCredentialAttributes().add(attr);
}
}
}
return toModel(entity);
}
@Override
public boolean removeStoredCredential(RealmModel realm, UserModel user, String id) {
CredentialEntity entity = em.find(CredentialEntity.class, id);
if (entity == null) return false;
em.remove(entity);
return true;
}
@Override
public CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id) {
CredentialEntity entity = em.find(CredentialEntity.class, id);
if (entity == null) return null;
CredentialModel model = toModel(entity);
return model;
}
protected CredentialModel toModel(CredentialEntity entity) {
CredentialModel model = new CredentialModel();
model.setId(entity.getId());
model.setType(entity.getType());
model.setValue(entity.getValue());
model.setAlgorithm(entity.getAlgorithm());
model.setSalt(entity.getSalt());
model.setPeriod(entity.getPeriod());
model.setCounter(entity.getCounter());
model.setCreatedDate(entity.getCreatedDate());
model.setDevice(entity.getDevice());
model.setDigits(entity.getDigits());
MultivaluedHashMap<String, String> config = new MultivaluedHashMap<>();
model.setConfig(config);
for (CredentialAttributeEntity attr : entity.getCredentialAttributes()) {
config.add(attr.getName(), attr.getValue());
}
return model;
}
@Override
public List<CredentialModel> getStoredCredentials(RealmModel realm, UserModel user) {
UserEntity userEntity = em.getReference(UserEntity.class, user.getId());
TypedQuery<CredentialEntity> query = em.createNamedQuery("credentialByUser", CredentialEntity.class)
.setParameter("user", userEntity);
List<CredentialEntity> results = query.getResultList();
List<CredentialModel> rtn = new LinkedList<>();
for (CredentialEntity entity : results) {
rtn.add(toModel(entity));
}
return rtn;
}
@Override
public List<CredentialModel> getStoredCredentialsByType(RealmModel realm, UserModel user, String type) {
UserEntity userEntity = em.getReference(UserEntity.class, user.getId());
TypedQuery<CredentialEntity> query = em.createNamedQuery("credentialByUserAndType", CredentialEntity.class)
.setParameter("type", type)
.setParameter("user", userEntity);
List<CredentialEntity> results = query.getResultList();
List<CredentialModel> rtn = new LinkedList<>();
for (CredentialEntity entity : results) {
rtn.add(toModel(entity));
}
return rtn;
}
@Override
public CredentialModel getStoredCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type) {
UserEntity userEntity = em.getReference(UserEntity.class, user.getId());
TypedQuery<CredentialEntity> query = em.createNamedQuery("credentialByNameAndType", CredentialEntity.class)
.setParameter("type", type)
.setParameter("device", name)
.setParameter("user", userEntity);
List<CredentialEntity> results = query.getResultList();
if (results.isEmpty()) return null;
return toModel(results.get(0));
}
@Override
public void close() {
}
}

59
model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserCredentialStoreFactory.java Executable file
View file

@ -0,0 +1,59 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models.jpa;
import org.keycloak.Config;
import org.keycloak.connections.jpa.JpaConnectionProvider;
import org.keycloak.credential.UserCredentialStore;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderFactory;
import javax.persistence.EntityManager;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class JpaUserCredentialStoreFactory implements ProviderFactory<UserCredentialStore> {
@Override
public void init(Config.Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public String getId() {
return "jpa";
}
@Override
public UserCredentialStore create(KeycloakSession session) {
EntityManager em = session.getProvider(JpaConnectionProvider.class).getEntityManager();
return new JpaUserCredentialStore(session, em);
}
@Override
public void close() {
}
}

176
model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
View file

@ -17,8 +17,11 @@
package org.keycloak.models.jpa; package org.keycloak.models.jpa;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.component.ComponentModel; import org.keycloak.component.ComponentModel;
import org.keycloak.credential.CredentialInput; import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.UserCredentialStore;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.CredentialValidationOutput; import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.FederatedIdentityModel;
@ -35,6 +38,8 @@ import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserFederationProviderModel; import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider; import org.keycloak.models.UserProvider;
import org.keycloak.models.jpa.entities.CredentialAttributeEntity;
import org.keycloak.models.jpa.entities.CredentialEntity;
import org.keycloak.models.jpa.entities.FederatedIdentityEntity; import org.keycloak.models.jpa.entities.FederatedIdentityEntity;
import org.keycloak.models.jpa.entities.UserAttributeEntity; import org.keycloak.models.jpa.entities.UserAttributeEntity;
import org.keycloak.models.jpa.entities.UserConsentEntity; import org.keycloak.models.jpa.entities.UserConsentEntity;
@ -51,6 +56,7 @@ import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -60,7 +66,7 @@ import java.util.Set;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class JpaUserProvider implements UserProvider { public class JpaUserProvider implements UserProvider, UserCredentialStore {
private static final String EMAIL = "email"; private static final String EMAIL = "email";
private static final String USERNAME = "username"; private static final String USERNAME = "username";
@ -724,24 +730,174 @@ public class JpaUserProvider implements UserProvider {
public void preRemove(RealmModel realm, ComponentModel component) { public void preRemove(RealmModel realm, ComponentModel component) {
} }
@Override
public boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs) {
return false;
}
@Override @Override
public void updateCredential(RealmModel realm, UserModel user, CredentialInput input) { public void updateCredential(RealmModel realm, UserModel user, CredentialModel cred) {
CredentialEntity entity = em.find(CredentialEntity.class, cred.getId());
if (entity == null) return;
entity.setAlgorithm(cred.getAlgorithm());
entity.setCounter(cred.getCounter());
entity.setCreatedDate(cred.getCreatedDate());
entity.setDevice(cred.getDevice());
entity.setDigits(cred.getDigits());
entity.setHashIterations(cred.getHashIterations());
entity.setPeriod(cred.getPeriod());
entity.setSalt(cred.getSalt());
entity.setType(cred.getType());
entity.setValue(cred.getValue());
if (entity.getCredentialAttributes().isEmpty() && (cred.getConfig() == null || cred.getConfig().isEmpty())) {
} else {
MultivaluedHashMap<String, String> attrs = cred.getConfig();
MultivaluedHashMap<String, String> config = cred.getConfig();
if (config == null) config = new MultivaluedHashMap<>();
Iterator<CredentialAttributeEntity> it = entity.getCredentialAttributes().iterator();
while (it.hasNext()) {
CredentialAttributeEntity attr = it.next();
List<String> values = config.getList(attr.getName());
if (values == null || !values.contains(attr.getValue())) {
em.remove(attr);
it.remove();
} else {
attrs.add(attr.getName(), attr.getValue());
}
}
for (String key : config.keySet()) {
List<String> values = config.getList(key);
List<String> attrValues = attrs.getList(key);
for (String val : values) {
if (attrValues == null || !attrValues.contains(val)) {
CredentialAttributeEntity attr = new CredentialAttributeEntity();
attr.setId(KeycloakModelUtils.generateId());
attr.setValue(val);
attr.setName(key);
attr.setCredential(entity);
em.persist(attr);
entity.getCredentialAttributes().add(attr);
}
}
}
}
} }
@Override @Override
public boolean isConfiguredFor(RealmModel realm, UserModel user, String type) { public CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred) {
return false; CredentialEntity entity = new CredentialEntity();
String id = cred.getId() == null ? KeycloakModelUtils.generateId() : cred.getId();
entity.setId(id);
entity.setAlgorithm(cred.getAlgorithm());
entity.setCounter(cred.getCounter());
entity.setCreatedDate(cred.getCreatedDate());
entity.setDevice(cred.getDevice());
entity.setDigits(cred.getDigits());
entity.setHashIterations(cred.getHashIterations());
entity.setPeriod(cred.getPeriod());
entity.setSalt(cred.getSalt());
entity.setType(cred.getType());
entity.setValue(cred.getValue());
UserEntity userRef = em.getReference(UserEntity.class, user.getId());
entity.setUser(userRef);
em.persist(entity);
MultivaluedHashMap<String, String> config = cred.getConfig();
if (config != null || !config.isEmpty()) {
for (String key : config.keySet()) {
List<String> values = config.getList(key);
for (String val : values) {
CredentialAttributeEntity attr = new CredentialAttributeEntity();
attr.setId(KeycloakModelUtils.generateId());
attr.setValue(val);
attr.setName(key);
attr.setCredential(entity);
em.persist(attr);
entity.getCredentialAttributes().add(attr);
}
}
}
return toModel(entity);
} }
@Override @Override
public Set<String> requiredActionsFor(RealmModel realm, UserModel user, String type) { public boolean removeStoredCredential(RealmModel realm, UserModel user, String id) {
return Collections.EMPTY_SET; CredentialEntity entity = em.find(CredentialEntity.class, id);
if (entity == null) return false;
em.remove(entity);
return true;
} }
@Override
public CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id) {
CredentialEntity entity = em.find(CredentialEntity.class, id);
if (entity == null) return null;
CredentialModel model = toModel(entity);
return model;
}
protected CredentialModel toModel(CredentialEntity entity) {
CredentialModel model = new CredentialModel();
model.setId(entity.getId());
model.setType(entity.getType());
model.setValue(entity.getValue());
model.setAlgorithm(entity.getAlgorithm());
model.setSalt(entity.getSalt());
model.setPeriod(entity.getPeriod());
model.setCounter(entity.getCounter());
model.setCreatedDate(entity.getCreatedDate());
model.setDevice(entity.getDevice());
model.setDigits(entity.getDigits());
MultivaluedHashMap<String, String> config = new MultivaluedHashMap<>();
model.setConfig(config);
for (CredentialAttributeEntity attr : entity.getCredentialAttributes()) {
config.add(attr.getName(), attr.getValue());
}
return model;
}
@Override
public List<CredentialModel> getStoredCredentials(RealmModel realm, UserModel user) {
UserEntity userEntity = em.getReference(UserEntity.class, user.getId());
TypedQuery<CredentialEntity> query = em.createNamedQuery("credentialByUser", CredentialEntity.class)
.setParameter("user", userEntity);
List<CredentialEntity> results = query.getResultList();
List<CredentialModel> rtn = new LinkedList<>();
for (CredentialEntity entity : results) {
rtn.add(toModel(entity));
}
return rtn;
}
@Override
public List<CredentialModel> getStoredCredentialsByType(RealmModel realm, UserModel user, String type) {
UserEntity userEntity = em.getReference(UserEntity.class, user.getId());
TypedQuery<CredentialEntity> query = em.createNamedQuery("credentialByUserAndType", CredentialEntity.class)
.setParameter("type", type)
.setParameter("user", userEntity);
List<CredentialEntity> results = query.getResultList();
List<CredentialModel> rtn = new LinkedList<>();
for (CredentialEntity entity : results) {
rtn.add(toModel(entity));
}
return rtn;
}
@Override
public CredentialModel getStoredCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type) {
UserEntity userEntity = em.getReference(UserEntity.class, user.getId());
TypedQuery<CredentialEntity> query = em.createNamedQuery("credentialByNameAndType", CredentialEntity.class)
.setParameter("type", type)
.setParameter("device", name)
.setParameter("user", userEntity);
List<CredentialEntity> results = query.getResultList();
if (results.isEmpty()) return null;
return toModel(results.get(0));
}
} }

2
model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java
View file

@ -38,7 +38,9 @@ import java.util.Collection;
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
@NamedQueries({ @NamedQueries({
@NamedQuery(name="credentialByUser", query="select cred from CredentialEntity cred where cred.user = :user"),
@NamedQuery(name="credentialByUserAndType", query="select cred from CredentialEntity cred where cred.user = :user and cred.type = :type"), @NamedQuery(name="credentialByUserAndType", query="select cred from CredentialEntity cred where cred.user = :user and cred.type = :type"),
@NamedQuery(name="credentialByNameAndType", query="select cred from CredentialEntity cred where cred.user = :user and cred.type = :type and cred.device = :device"),
@NamedQuery(name="deleteCredentialsByRealm", query="delete from CredentialEntity cred where cred.user IN (select u from UserEntity u where u.realmId=:realmId)"), @NamedQuery(name="deleteCredentialsByRealm", query="delete from CredentialEntity cred where cred.user IN (select u from UserEntity u where u.realmId=:realmId)"),
@NamedQuery(name="deleteCredentialsByRealmAndLink", query="delete from CredentialEntity cred where cred.user IN (select u from UserEntity u where u.realmId=:realmId and u.federationLink=:link)") @NamedQuery(name="deleteCredentialsByRealmAndLink", query="delete from CredentialEntity cred where cred.user IN (select u from UserEntity u where u.realmId=:realmId and u.federationLink=:link)")

218
model/jpa/src/main/java/org/keycloak/storage/jpa/JpaFederatedUserCredentialStore.java Normal file
View file

@ -0,0 +1,218 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.storage.jpa;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.UserCredentialStore;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.storage.StorageId;
import org.keycloak.storage.jpa.entity.FederatedUserCredentialAttributeEntity;
import org.keycloak.storage.jpa.entity.FederatedUserCredentialEntity;
import javax.persistence.EntityManager;
import javax.persistence.TypedQuery;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class JpaFederatedUserCredentialStore implements UserCredentialStore {
private final KeycloakSession session;
protected final EntityManager em;
public JpaFederatedUserCredentialStore(KeycloakSession session, EntityManager em) {
this.session = session;
this.em = em;
}
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialModel cred) {
FederatedUserCredentialEntity entity = em.find(FederatedUserCredentialEntity.class, cred.getId());
if (entity == null) return;
entity.setAlgorithm(cred.getAlgorithm());
entity.setCounter(cred.getCounter());
entity.setCreatedDate(cred.getCreatedDate());
entity.setDevice(cred.getDevice());
entity.setDigits(cred.getDigits());
entity.setHashIterations(cred.getHashIterations());
entity.setPeriod(cred.getPeriod());
entity.setSalt(cred.getSalt());
entity.setType(cred.getType());
entity.setValue(cred.getValue());
if (entity.getCredentialAttributes().isEmpty() && (cred.getConfig() == null || cred.getConfig().isEmpty())) {
} else {
MultivaluedHashMap<String, String> attrs = cred.getConfig();
MultivaluedHashMap<String, String> config = cred.getConfig();
if (config == null) config = new MultivaluedHashMap<>();
Iterator<FederatedUserCredentialAttributeEntity> it = entity.getCredentialAttributes().iterator();
while (it.hasNext()) {
FederatedUserCredentialAttributeEntity attr = it.next();
List<String> values = config.getList(attr.getName());
if (values == null || !values.contains(attr.getValue())) {
em.remove(attr);
it.remove();
} else {
attrs.add(attr.getName(), attr.getValue());
}
}
for (String key : config.keySet()) {
List<String> values = config.getList(key);
List<String> attrValues = attrs.getList(key);
for (String val : values) {
if (attrValues == null || !attrValues.contains(val)) {
FederatedUserCredentialAttributeEntity attr = new FederatedUserCredentialAttributeEntity();
attr.setId(KeycloakModelUtils.generateId());
attr.setValue(val);
attr.setName(key);
attr.setCredential(entity);
em.persist(attr);
entity.getCredentialAttributes().add(attr);
}
}
}
}
}
@Override
public CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred) {
FederatedUserCredentialEntity entity = new FederatedUserCredentialEntity();
String id = cred.getId() == null ? KeycloakModelUtils.generateId() : cred.getId();
entity.setId(id);
entity.setAlgorithm(cred.getAlgorithm());
entity.setCounter(cred.getCounter());
entity.setCreatedDate(cred.getCreatedDate());
entity.setDevice(cred.getDevice());
entity.setDigits(cred.getDigits());
entity.setHashIterations(cred.getHashIterations());
entity.setPeriod(cred.getPeriod());
entity.setSalt(cred.getSalt());
entity.setType(cred.getType());
entity.setValue(cred.getValue());
entity.setUserId(user.getId());
entity.setRealmId(realm.getId());
entity.setStorageProviderId(StorageId.resolveProviderId(user));
em.persist(entity);
MultivaluedHashMap<String, String> config = cred.getConfig();
if (config != null || !config.isEmpty()) {
for (String key : config.keySet()) {
List<String> values = config.getList(key);
for (String val : values) {
FederatedUserCredentialAttributeEntity attr = new FederatedUserCredentialAttributeEntity();
attr.setId(KeycloakModelUtils.generateId());
attr.setValue(val);
attr.setName(key);
attr.setCredential(entity);
em.persist(attr);
entity.getCredentialAttributes().add(attr);
}
}
}
return toModel(entity);
}
@Override
public boolean removeStoredCredential(RealmModel realm, UserModel user, String id) {
FederatedUserCredentialEntity entity = em.find(FederatedUserCredentialEntity.class, id);
if (entity == null) return false;
em.remove(entity);
return true;
}
@Override
public CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id) {
FederatedUserCredentialEntity entity = em.find(FederatedUserCredentialEntity.class, id);
if (entity == null) return null;
CredentialModel model = toModel(entity);
return model;
}
protected CredentialModel toModel(FederatedUserCredentialEntity entity) {
CredentialModel model = new CredentialModel();
model.setId(entity.getId());
model.setType(entity.getType());
model.setValue(entity.getValue());
model.setAlgorithm(entity.getAlgorithm());
model.setSalt(entity.getSalt());
model.setPeriod(entity.getPeriod());
model.setCounter(entity.getCounter());
model.setCreatedDate(entity.getCreatedDate());
model.setDevice(entity.getDevice());
model.setDigits(entity.getDigits());
MultivaluedHashMap<String, String> config = new MultivaluedHashMap<>();
model.setConfig(config);
for (FederatedUserCredentialAttributeEntity attr : entity.getCredentialAttributes()) {
config.add(attr.getName(), attr.getValue());
}
return model;
}
@Override
public List<CredentialModel> getStoredCredentials(RealmModel realm, UserModel user) {
TypedQuery<FederatedUserCredentialEntity> query = em.createNamedQuery("federatedUserCredentialByUser", FederatedUserCredentialEntity.class)
.setParameter("userId", user.getId());
List<FederatedUserCredentialEntity> results = query.getResultList();
List<CredentialModel> rtn = new LinkedList<>();
for (FederatedUserCredentialEntity entity : results) {
rtn.add(toModel(entity));
}
return rtn;
}
@Override
public List<CredentialModel> getStoredCredentialsByType(RealmModel realm, UserModel user, String type) {
TypedQuery<FederatedUserCredentialEntity> query = em.createNamedQuery("federatedUserCredentialByUserAndType", FederatedUserCredentialEntity.class)
.setParameter("type", type)
.setParameter("userId", user.getId());
List<FederatedUserCredentialEntity> results = query.getResultList();
List<CredentialModel> rtn = new LinkedList<>();
for (FederatedUserCredentialEntity entity : results) {
rtn.add(toModel(entity));
}
return rtn;
}
@Override
public CredentialModel getStoredCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type) {
TypedQuery<FederatedUserCredentialEntity> query = em.createNamedQuery("federatedUserCredentialByNameAndType", FederatedUserCredentialEntity.class)
.setParameter("type", type)
.setParameter("device", name)
.setParameter("userId", user.getId());
List<FederatedUserCredentialEntity> results = query.getResultList();
if (results.isEmpty()) return null;
return toModel(results.get(0));
}
@Override
public void close() {
}
}

180
model/jpa/src/main/java/org/keycloak/storage/jpa/JpaUserFederatedStorageProvider.java
View file

@ -19,6 +19,7 @@ package org.keycloak.storage.jpa;
import org.keycloak.common.util.MultivaluedHashMap; import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.component.ComponentModel; import org.keycloak.component.ComponentModel;
import org.keycloak.credential.CredentialModel; import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.UserCredentialStore;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.GroupModel; import org.keycloak.models.GroupModel;
@ -50,6 +51,7 @@ import org.keycloak.storage.jpa.entity.FederatedUserAttributeEntity;
import org.keycloak.storage.jpa.entity.FederatedUserConsentEntity; import org.keycloak.storage.jpa.entity.FederatedUserConsentEntity;
import org.keycloak.storage.jpa.entity.FederatedUserConsentProtocolMapperEntity; import org.keycloak.storage.jpa.entity.FederatedUserConsentProtocolMapperEntity;
import org.keycloak.storage.jpa.entity.FederatedUserConsentRoleEntity; import org.keycloak.storage.jpa.entity.FederatedUserConsentRoleEntity;
import org.keycloak.storage.jpa.entity.FederatedUserCredentialAttributeEntity;
import org.keycloak.storage.jpa.entity.FederatedUserCredentialEntity; import org.keycloak.storage.jpa.entity.FederatedUserCredentialEntity;
import org.keycloak.storage.jpa.entity.FederatedUserGroupMembershipEntity; import org.keycloak.storage.jpa.entity.FederatedUserGroupMembershipEntity;
import org.keycloak.storage.jpa.entity.FederatedUserRequiredActionEntity; import org.keycloak.storage.jpa.entity.FederatedUserRequiredActionEntity;
@ -60,6 +62,7 @@ import javax.persistence.TypedQuery;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
@ -76,7 +79,8 @@ public class JpaUserFederatedStorageProvider implements
UserCredentialsFederatedStorage, UserCredentialsFederatedStorage,
UserGroupMembershipFederatedStorage, UserGroupMembershipFederatedStorage,
UserRequiredActionsFederatedStorage, UserRequiredActionsFederatedStorage,
UserRoleMappingsFederatedStorage { UserRoleMappingsFederatedStorage,
UserCredentialStore {
private final KeycloakSession session; private final KeycloakSession session;
protected EntityManager em; protected EntityManager em;
@ -607,16 +611,6 @@ public class JpaUserFederatedStorageProvider implements
em.flush(); em.flush();
} }
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialModel cred) {
}
@Override
public CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred) {
return null;
}
@Override @Override
public boolean removeCredential(RealmModel realm, String id) { public boolean removeCredential(RealmModel realm, String id) {
return false; return false;
@ -647,6 +641,170 @@ public class JpaUserFederatedStorageProvider implements
return null; return null;
} }
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialModel cred) {
FederatedUserCredentialEntity entity = em.find(FederatedUserCredentialEntity.class, cred.getId());
if (entity == null) return;
entity.setAlgorithm(cred.getAlgorithm());
entity.setCounter(cred.getCounter());
entity.setCreatedDate(cred.getCreatedDate());
entity.setDevice(cred.getDevice());
entity.setDigits(cred.getDigits());
entity.setHashIterations(cred.getHashIterations());
entity.setPeriod(cred.getPeriod());
entity.setSalt(cred.getSalt());
entity.setType(cred.getType());
entity.setValue(cred.getValue());
if (entity.getCredentialAttributes().isEmpty() && (cred.getConfig() == null || cred.getConfig().isEmpty())) {
} else {
MultivaluedHashMap<String, String> attrs = cred.getConfig();
MultivaluedHashMap<String, String> config = cred.getConfig();
if (config == null) config = new MultivaluedHashMap<>();
Iterator<FederatedUserCredentialAttributeEntity> it = entity.getCredentialAttributes().iterator();
while (it.hasNext()) {
FederatedUserCredentialAttributeEntity attr = it.next();
List<String> values = config.getList(attr.getName());
if (values == null || !values.contains(attr.getValue())) {
em.remove(attr);
it.remove();
} else {
attrs.add(attr.getName(), attr.getValue());
}
}
for (String key : config.keySet()) {
List<String> values = config.getList(key);
List<String> attrValues = attrs.getList(key);
for (String val : values) {
if (attrValues == null || !attrValues.contains(val)) {
FederatedUserCredentialAttributeEntity attr = new FederatedUserCredentialAttributeEntity();
attr.setId(KeycloakModelUtils.generateId());
attr.setValue(val);
attr.setName(key);
attr.setCredential(entity);
em.persist(attr);
entity.getCredentialAttributes().add(attr);
}
}
}
}
}
@Override
public CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred) {
FederatedUserCredentialEntity entity = new FederatedUserCredentialEntity();
String id = cred.getId() == null ? KeycloakModelUtils.generateId() : cred.getId();
entity.setId(id);
entity.setAlgorithm(cred.getAlgorithm());
entity.setCounter(cred.getCounter());
entity.setCreatedDate(cred.getCreatedDate());
entity.setDevice(cred.getDevice());
entity.setDigits(cred.getDigits());
entity.setHashIterations(cred.getHashIterations());
entity.setPeriod(cred.getPeriod());
entity.setSalt(cred.getSalt());
entity.setType(cred.getType());
entity.setValue(cred.getValue());
entity.setUserId(user.getId());
entity.setRealmId(realm.getId());
entity.setStorageProviderId(StorageId.resolveProviderId(user));
em.persist(entity);
MultivaluedHashMap<String, String> config = cred.getConfig();
if (config != null || !config.isEmpty()) {
for (String key : config.keySet()) {
List<String> values = config.getList(key);
for (String val : values) {
FederatedUserCredentialAttributeEntity attr = new FederatedUserCredentialAttributeEntity();
attr.setId(KeycloakModelUtils.generateId());
attr.setValue(val);
attr.setName(key);
attr.setCredential(entity);
em.persist(attr);
entity.getCredentialAttributes().add(attr);
}
}
}
return toModel(entity);
}
@Override
public boolean removeStoredCredential(RealmModel realm, UserModel user, String id) {
FederatedUserCredentialEntity entity = em.find(FederatedUserCredentialEntity.class, id);
if (entity == null) return false;
em.remove(entity);
return true;
}
@Override
public CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id) {
FederatedUserCredentialEntity entity = em.find(FederatedUserCredentialEntity.class, id);
if (entity == null) return null;
CredentialModel model = toModel(entity);
return model;
}
protected CredentialModel toModel(FederatedUserCredentialEntity entity) {
CredentialModel model = new CredentialModel();
model.setId(entity.getId());
model.setType(entity.getType());
model.setValue(entity.getValue());
model.setAlgorithm(entity.getAlgorithm());
model.setSalt(entity.getSalt());
model.setPeriod(entity.getPeriod());
model.setCounter(entity.getCounter());
model.setCreatedDate(entity.getCreatedDate());
model.setDevice(entity.getDevice());
model.setDigits(entity.getDigits());
MultivaluedHashMap<String, String> config = new MultivaluedHashMap<>();
model.setConfig(config);
for (FederatedUserCredentialAttributeEntity attr : entity.getCredentialAttributes()) {
config.add(attr.getName(), attr.getValue());
}
return model;
}
@Override
public List<CredentialModel> getStoredCredentials(RealmModel realm, UserModel user) {
TypedQuery<FederatedUserCredentialEntity> query = em.createNamedQuery("federatedUserCredentialByUser", FederatedUserCredentialEntity.class)
.setParameter("userId", user.getId());
List<FederatedUserCredentialEntity> results = query.getResultList();
List<CredentialModel> rtn = new LinkedList<>();
for (FederatedUserCredentialEntity entity : results) {
rtn.add(toModel(entity));
}
return rtn;
}
@Override
public List<CredentialModel> getStoredCredentialsByType(RealmModel realm, UserModel user, String type) {
TypedQuery<FederatedUserCredentialEntity> query = em.createNamedQuery("federatedUserCredentialByUserAndType", FederatedUserCredentialEntity.class)
.setParameter("type", type)
.setParameter("userId", user.getId());
List<FederatedUserCredentialEntity> results = query.getResultList();
List<CredentialModel> rtn = new LinkedList<>();
for (FederatedUserCredentialEntity entity : results) {
rtn.add(toModel(entity));
}
return rtn;
}
@Override
public CredentialModel getStoredCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type) {
TypedQuery<FederatedUserCredentialEntity> query = em.createNamedQuery("federatedUserCredentialByNameAndType", FederatedUserCredentialEntity.class)
.setParameter("type", type)
.setParameter("device", name)
.setParameter("userId", user.getId());
List<FederatedUserCredentialEntity> results = query.getResultList();
if (results.isEmpty()) return null;
return toModel(results.get(0));
}
@Override @Override
public void preRemove(RealmModel realm) { public void preRemove(RealmModel realm) {
int num = em.createNamedQuery("deleteFederatedUserConsentRolesByRealm") int num = em.createNamedQuery("deleteFederatedUserConsentRolesByRealm")

1
model/jpa/src/main/java/org/keycloak/storage/jpa/entity/FederatedUserCredentialEntity.java
View file

@ -43,6 +43,7 @@ import java.util.Collection;
@NamedQueries({ @NamedQueries({
@NamedQuery(name="federatedUserCredentialByUser", query="select cred from FederatedUserCredentialEntity cred where cred.userId = :userId"), @NamedQuery(name="federatedUserCredentialByUser", query="select cred from FederatedUserCredentialEntity cred where cred.userId = :userId"),
@NamedQuery(name="federatedUserCredentialByUserAndType", query="select cred from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.type = :type"), @NamedQuery(name="federatedUserCredentialByUserAndType", query="select cred from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.type = :type"),
@NamedQuery(name="federatedUserCredentialByNameAndType", query="select cred from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.type = :type and cred.device = :device"),
@NamedQuery(name="deleteFederatedUserCredentialByUser", query="delete from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.realmId = :realmId"), @NamedQuery(name="deleteFederatedUserCredentialByUser", query="delete from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.realmId = :realmId"),
@NamedQuery(name="deleteFederatedUserCredentialByUserAndType", query="delete from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.type = :type"), @NamedQuery(name="deleteFederatedUserCredentialByUserAndType", query="delete from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.type = :type"),
@NamedQuery(name="deleteFederatedUserCredentialByUserAndTypeAndDevice", query="delete from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.type = :type and cred.device = :device"), @NamedQuery(name="deleteFederatedUserCredentialByUserAndTypeAndDevice", query="delete from FederatedUserCredentialEntity cred where cred.userId = :userId and cred.type = :type and cred.device = :device"),

19
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java
View file

@ -637,23 +637,4 @@ public class MongoUserProvider implements UserProvider {
} }
@Override
public boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs) {
return false;
}
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
}
@Override
public boolean isConfiguredFor(RealmModel realm, UserModel user, String type) {
return false;
}
@Override
public Set<String> requiredActionsFor(RealmModel realm, UserModel user, String type) {
return Collections.EMPTY_SET;
}
} }

4
server-spi/src/main/java/org/keycloak/credential/CredentialInputUpdater.java
View file

@ -27,6 +27,6 @@ import java.util.Set;
*/ */
public interface CredentialInputUpdater { public interface CredentialInputUpdater {
boolean supportsCredentialType(String credentialType); boolean supportsCredentialType(String credentialType);
Set<String> requiredActionsFor(RealmModel realm, UserModel user, String credentialType); boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input);
void updateCredential(RealmModel realm, UserModel user, CredentialInput input); void disableCredentialType(RealmModel realm, UserModel user, String credentialType);
} }

14
server-spi/src/main/java/org/keycloak/credential/CredentialModel.java
View file

@ -29,6 +29,20 @@ import java.util.Map;
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/ */
public class CredentialModel implements Serializable { public class CredentialModel implements Serializable {
public static final String PASSWORD = "password";
public static final String PASSWORD_HISTORY = "password-history";
public static final String PASSWORD_TOKEN = "password-token";
// Secret is same as password but it is not hashed
public static final String SECRET = "secret";
public static final String TOTP = "totp";
public static final String HOTP = "hotp";
public static final String CLIENT_CERT = "cert";
public static final String KERBEROS = "kerberos";
public static final String OTP = "otp";
private String id; private String id;
private String type; private String type;
private String value; private String value;

11
server-spi/src/main/java/org/keycloak/credential/UserCredentialStore.java
View file

@ -29,10 +29,9 @@ import java.util.List;
public interface UserCredentialStore extends Provider { public interface UserCredentialStore extends Provider {
void updateCredential(RealmModel realm, UserModel user, CredentialModel cred); void updateCredential(RealmModel realm, UserModel user, CredentialModel cred);
CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred); CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred);
boolean removeCredential(RealmModel realm, String id); boolean removeStoredCredential(RealmModel realm, UserModel user, String id);
CredentialModel getCredentialById(String id); CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id);
List<CredentialModel> getCredentials(RealmModel realm); List<CredentialModel> getStoredCredentials(RealmModel realm, UserModel user);
List<CredentialModel> getCredentials(RealmModel realm, UserModel user); List<CredentialModel> getStoredCredentialsByType(RealmModel realm, UserModel user, String type);
List<CredentialModel> getCredentialsByType(RealmModel realm, UserModel user, String type); CredentialModel getStoredCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type);
CredentialModel getCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type);
} }

16
server-spi/src/main/java/org/keycloak/models/KeycloakSession.java
View file

@ -17,6 +17,7 @@
package org.keycloak.models; package org.keycloak.models;
import org.keycloak.models.cache.UserCache;
import org.keycloak.provider.Provider; import org.keycloak.provider.Provider;
import org.keycloak.scripting.ScriptingProvider; import org.keycloak.scripting.ScriptingProvider;
import org.keycloak.storage.federated.UserFederatedStorageProvider; import org.keycloak.storage.federated.UserFederatedStorageProvider;
@ -74,6 +75,7 @@ public interface KeycloakSession {
Object removeAttribute(String attribute); Object removeAttribute(String attribute);
void setAttribute(String name, Object value); void setAttribute(String name, Object value);
void enlistForClose(Provider provider); void enlistForClose(Provider provider);
KeycloakSessionFactory getKeycloakSessionFactory(); KeycloakSessionFactory getKeycloakSessionFactory();
@ -101,7 +103,14 @@ public interface KeycloakSession {
void close(); void close();
/** /**
* A cached view of all users in system. * The user cache
*
* @return may be null if cache is disabled
*/
UserCache getUserCache();
/**
* A possibly cached view of all users in system.
* *
* @return * @return
*/ */
@ -115,8 +124,10 @@ public interface KeycloakSession {
*/ */
UserProvider userStorageManager(); UserProvider userStorageManager();
UserCredentialManager userCredentialManager();
/** /**
* A cached view of all users in system that does NOT include users available from the deprecated UserFederationProvider SPI. * A possibly cached view of all users in system that does NOT include users available from the deprecated UserFederationProvider SPI.
*/ */
UserProvider userStorage(); UserProvider userStorage();
@ -129,6 +140,7 @@ public interface KeycloakSession {
/** /**
* Hybrid storage for UserStorageProviders that can't store a specific piece of keycloak data in their external storage. * Hybrid storage for UserStorageProviders that can't store a specific piece of keycloak data in their external storage.
* No cache in front.
* *
* @return * @return
*/ */

37
server-spi/src/main/java/org/keycloak/models/UserCredentialManager.java Normal file
View file

@ -0,0 +1,37 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.UserCredentialStore;
import java.util.List;
import java.util.Set;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public interface UserCredentialManager extends UserCredentialStore {
boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs);
void updateCredential(RealmModel realm, UserModel user, CredentialInput input);
void disableCredential(RealmModel realm, UserModel user, String credentialType);
boolean isConfiguredFor(RealmModel realm, UserModel user, String type);
}

17
server-spi/src/main/java/org/keycloak/models/UserCredentialModel.java
View file

@ -18,6 +18,7 @@
package org.keycloak.models; package org.keycloak.models;
import org.keycloak.credential.CredentialInput; import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialModel;
import java.util.UUID; import java.util.UUID;
@ -26,16 +27,16 @@ import java.util.UUID;
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class UserCredentialModel implements CredentialInput { public class UserCredentialModel implements CredentialInput {
public static final String PASSWORD = "password"; public static final String PASSWORD = CredentialModel.PASSWORD;
public static final String PASSWORD_HISTORY = "password-history"; public static final String PASSWORD_HISTORY = CredentialModel.PASSWORD_HISTORY;
public static final String PASSWORD_TOKEN = "password-token"; public static final String PASSWORD_TOKEN = CredentialModel.PASSWORD_TOKEN;
// Secret is same as password but it is not hashed // Secret is same as password but it is not hashed
public static final String SECRET = "secret"; public static final String SECRET = CredentialModel.SECRET;
public static final String TOTP = "totp"; public static final String TOTP = CredentialModel.TOTP;
public static final String HOTP = "hotp"; public static final String HOTP = CredentialModel.HOTP;
public static final String CLIENT_CERT = "cert"; public static final String CLIENT_CERT = CredentialModel.CLIENT_CERT;
public static final String KERBEROS = "kerberos"; public static final String KERBEROS = CredentialModel.KERBEROS;
protected String type; protected String type;
protected String value; protected String value;

21
server-spi/src/main/java/org/keycloak/models/UserFederationManager.java
View file

@ -445,27 +445,6 @@ public class UserFederationManager implements UserProvider {
session.userStorage().grantToAllUsers(realm, role); session.userStorage().grantToAllUsers(realm, role);
} }
@Override
public boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs) {
return session.userStorage().isValid(realm, user, inputs);
}
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
session.userStorage().updateCredential(realm, user, input);
}
@Override
public boolean isConfiguredFor(RealmModel realm, UserModel user, String type) {
return session.userStorage().isConfiguredFor(realm, user, type);
}
@Override
public Set<String> requiredActionsFor(RealmModel realm, UserModel user, String type) {
return session.userStorage().requiredActionsFor(realm, user, type);
}
@Override @Override
public void preRemove(RealmModel realm) { public void preRemove(RealmModel realm) {
for (UserFederationProviderModel federation : realm.getUserFederationProviders()) { for (UserFederationProviderModel federation : realm.getUserFederationProviders()) {

7
server-spi/src/main/java/org/keycloak/models/UserProvider.java
View file

@ -87,11 +87,4 @@ public interface UserProvider extends Provider,
void preRemove(RealmModel realm, ComponentModel component); void preRemove(RealmModel realm, ComponentModel component);
boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs);
void updateCredential(RealmModel realm, UserModel user, CredentialInput input);
boolean isConfiguredFor(RealmModel realm, UserModel user, String type);
Set<String> requiredActionsFor(RealmModel realm, UserModel user, String type);
} }

4
server-spi/src/main/java/org/keycloak/models/cache/CacheUserProviderSpi.java vendored
View file

@ -39,11 +39,11 @@ public class CacheUserProviderSpi implements Spi {
@Override @Override
public Class<? extends Provider> getProviderClass() { public Class<? extends Provider> getProviderClass() {
return CacheUserProvider.class; return UserCache.class;
} }
@Override @Override
public Class<? extends ProviderFactory> getProviderFactoryClass() { public Class<? extends ProviderFactory> getProviderFactoryClass() {
return CacheUserProviderFactory.class; return UserCacheProviderFactory.class;
} }
} }

43
server-spi/src/main/java/org/keycloak/models/cache/CachedUserModel.java vendored Normal file
View file

@ -0,0 +1,43 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models.cache;
import org.keycloak.models.UserModel;
import java.util.concurrent.ConcurrentHashMap;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public interface CachedUserModel extends UserModel {
void invalidate();
/**
* When was the user loaded from database.
*
* @return
*/
long getCacheTimestamp();
/**
* Returns a map that contains custom things that are cached along with the user. You can write to this map.
*
* @return
*/
ConcurrentHashMap getCachedWith();
}

7
server-spi/src/main/java/org/keycloak/models/cache/CacheUserProvider.java → server-spi/src/main/java/org/keycloak/models/cache/OnUserCache.java vendored Executable file → Normal file
View file

@ -14,17 +14,14 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.keycloak.models.cache; package org.keycloak.models.cache;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.UserProvider;
/** /**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public interface CacheUserProvider extends UserProvider { public interface OnUserCache {
void clear(); void onCache(RealmModel realm, CachedUserModel user);
UserProvider getDelegate();
} }

36
server-spi/src/main/java/org/keycloak/models/cache/UserCache.java vendored Executable file
View file

@ -0,0 +1,36 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models.cache;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public interface UserCache extends UserProvider {
/**
* Evict user from cache.
*
* @param user
*/
void evict(RealmModel realm, UserModel user);
void clear();
}

2
server-spi/src/main/java/org/keycloak/models/cache/CacheUserProviderFactory.java → server-spi/src/main/java/org/keycloak/models/cache/UserCacheProviderFactory.java vendored
View file

@ -23,6 +23,6 @@ import org.keycloak.provider.ProviderFactory;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public interface CacheUserProviderFactory extends ProviderFactory<CacheUserProvider> { public interface UserCacheProviderFactory extends ProviderFactory<UserCache> {
} }

224
services/src/main/java/org/keycloak/credential/LocalOTPCredentialManager.java Normal file
View file

@ -0,0 +1,224 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.credential;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.OnUserCache;
import org.keycloak.models.utils.HmacOTP;
import org.keycloak.models.utils.TimeBasedOTP;
import java.util.Collections;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class LocalOTPCredentialManager implements CredentialInputValidator, CredentialInputUpdater, OnUserCache {
private static final Logger logger = Logger.getLogger(LocalOTPCredentialManager.class);
protected KeycloakSession session;
protected List<CredentialModel> getCachedCredentials(UserModel user, String type) {
if (!(user instanceof CachedUserModel)) return Collections.EMPTY_LIST;
CachedUserModel cached = (CachedUserModel)user;
List<CredentialModel> rtn = (List<CredentialModel>)cached.getCachedWith().get(LocalOTPCredentialManager.class.getName() + "." + type);
if (rtn == null) return Collections.EMPTY_LIST;
return rtn;
}
protected UserCredentialStore getCredentialStore() {
return session.userCredentialManager();
}
@Override
public void onCache(RealmModel realm, CachedUserModel user) {
List<CredentialModel> creds = getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.TOTP);
user.getCachedWith().put(LocalOTPCredentialManager.class.getName() + "." + CredentialModel.TOTP, creds);
}
public LocalOTPCredentialManager(KeycloakSession session) {
this.session = session;
}
@Override
public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
if (!supportsCredentialType(input.getType())) return false;
if (!(input instanceof UserCredentialModel)) {
logger.debug("Expected instance of UserCredentialModel for CredentialInput");
return false;
}
UserCredentialModel inputModel = (UserCredentialModel)input;
CredentialModel model = null;
if (inputModel.getDevice() != null) {
model = getCredentialStore().getStoredCredentialByNameAndType(realm, user, inputModel.getDevice(), CredentialModel.TOTP);
if (model == null) {
model = getCredentialStore().getStoredCredentialByNameAndType(realm, user, inputModel.getDevice(), CredentialModel.HOTP);
}
}
if (model == null) {
// delete all existing
disableCredentialType(realm, user, CredentialModel.OTP);
model = new CredentialModel();
}
OTPPolicy policy = realm.getOTPPolicy();
model.setDigits(policy.getDigits());
model.setCounter(policy.getInitialCounter());
model.setAlgorithm(policy.getAlgorithm());
model.setType(policy.getType());
model.setValue(inputModel.getValue());
model.setDevice(inputModel.getDevice());
model.setPeriod(policy.getPeriod());
if (model.getId() == null) {
getCredentialStore().createCredential(realm, user, model);
} else {
getCredentialStore().updateCredential(realm, user, model);
}
session.getUserCache().evict(realm, user);
return true;
}
@Override
public void disableCredentialType(RealmModel realm, UserModel user, String credentialType) {
boolean disableTOTP = false, disableHOTP = false;
if (CredentialModel.OTP.equals(credentialType)) {
disableTOTP = true;
disableHOTP = true;
} else if (CredentialModel.HOTP.equals(credentialType)) {
disableHOTP = true;
} else if (CredentialModel.TOTP.equals(credentialType)) {
disableTOTP = true;
}
if (disableHOTP) {
List<CredentialModel> hotp = getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.HOTP);
for (CredentialModel cred : hotp) {
getCredentialStore().removeStoredCredential(realm, user, cred.getId());
}
}
if (disableTOTP) {
List<CredentialModel> totp = getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.TOTP);
if (!totp.isEmpty()) {
for (CredentialModel cred : totp) {
getCredentialStore().removeStoredCredential(realm, user, cred.getId());
}
}
}
if (disableTOTP || disableHOTP) {
session.getUserCache().evict(realm, user);
}
}
@Override
public boolean supportsCredentialType(String credentialType) {
return CredentialModel.OTP.equals(credentialType)
|| CredentialModel.HOTP.equals(credentialType)
|| CredentialModel.TOTP.equals(credentialType);
}
@Override
public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType) {
if (!supportsCredentialType(credentialType)) return false;
if (CredentialModel.OTP.equals(credentialType)) {
if (realm.getOTPPolicy().getType().equals(CredentialModel.HOTP)) {
return configuredForHOTP(realm, user);
} else {
return configuredForTOTP(realm, user);
}
} else if (CredentialModel.HOTP.equals(credentialType)) {
return configuredForHOTP(realm, user);
} else if (CredentialModel.TOTP.equals(credentialType)) {
return configuredForTOTP(realm, user);
} else {
return false;
}
}
protected boolean configuredForHOTP(RealmModel realm, UserModel user) {
return !getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.HOTP).isEmpty();
}
protected boolean configuredForTOTP(RealmModel realm, UserModel user) {
return !getCachedCredentials(user, CredentialModel.TOTP).isEmpty()
|| !getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.TOTP).isEmpty();
}
public static boolean validOTP(RealmModel realm, String token, String secret) {
OTPPolicy policy = realm.getOTPPolicy();
if (policy.getType().equals(UserCredentialModel.TOTP)) {
TimeBasedOTP validator = new TimeBasedOTP(policy.getAlgorithm(), policy.getDigits(), policy.getPeriod(), policy.getLookAheadWindow());
return validator.validateTOTP(token, secret.getBytes());
} else {
HmacOTP validator = new HmacOTP(policy.getDigits(), policy.getAlgorithm(), policy.getLookAheadWindow());
int c = validator.validateHOTP(token, secret, policy.getInitialCounter());
return c > -1;
}
}
@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
if (! (input instanceof UserCredentialModel)) {
logger.debug("Expected instance of UserCredentialModel for CredentialInput");
return false;
}
String token = ((UserCredentialModel)input).getValue();
OTPPolicy policy = realm.getOTPPolicy();
if (realm.getOTPPolicy().getType().equals(CredentialModel.HOTP)) {
HmacOTP validator = new HmacOTP(policy.getDigits(), policy.getAlgorithm(), policy.getLookAheadWindow());
for (CredentialModel cred : getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.HOTP)) {
int counter = validator.validateHOTP(token, cred.getValue(), cred.getCounter());
if (counter < 0) continue;
cred.setCounter(counter);
getCredentialStore().updateCredential(realm, user, cred);
return true;
}
} else {
TimeBasedOTP validator = new TimeBasedOTP(policy.getAlgorithm(), policy.getDigits(), policy.getPeriod(), policy.getLookAheadWindow());
List<CredentialModel> creds = getCachedCredentials(user, CredentialModel.TOTP);
if (creds.isEmpty()) {
creds = getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.TOTP);
} else {
logger.debugv("Cache hit for TOTP for user {0}", user.getUsername());
}
for (CredentialModel cred : creds) {
if (validator.validateTOTP(token, cred.getValue().getBytes())) {
return true;
}
}
}
return false;
}
}

249
services/src/main/java/org/keycloak/credential/UserCredentialStoreManager.java Normal file
View file

@ -0,0 +1,249 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.credential;
import org.keycloak.common.util.reflections.Types;
import org.keycloak.component.ComponentModel;
import org.keycloak.component.PrioritizedComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.OnUserCache;
import org.keycloak.storage.StorageId;
import org.keycloak.storage.UserStorageManager;
import org.keycloak.storage.UserStorageProvider;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class UserCredentialStoreManager implements UserCredentialManager, OnUserCache {
protected KeycloakSession session;
public UserCredentialStoreManager(KeycloakSession session) {
this.session = session;
}
protected UserCredentialStore getStoreForUser(UserModel user) {
if (StorageId.isLocalStorage(user)) {
return (UserCredentialStore)session.userLocalStorage();
} else {
return (UserCredentialStore)session.userFederatedStorage();
}
}
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialModel cred) {
getStoreForUser(user).updateCredential(realm, user, cred);
}
@Override
public CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred) {
return getStoreForUser(user).createCredential(realm, user, cred);
}
@Override
public boolean removeStoredCredential(RealmModel realm, UserModel user, String id) {
return getStoreForUser(user).removeStoredCredential(realm, user, id);
}
@Override
public CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id) {
return getStoreForUser(user).getStoredCredentialById(realm, user, id);
}
@Override
public List<CredentialModel> getStoredCredentials(RealmModel realm, UserModel user) {
return getStoreForUser(user).getStoredCredentials(realm, user);
}
@Override
public List<CredentialModel> getStoredCredentialsByType(RealmModel realm, UserModel user, String type) {
return getStoreForUser(user).getStoredCredentialsByType(realm, user, type);
}
@Override
public CredentialModel getStoredCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type) {
return getStoreForUser(user).getStoredCredentialByNameAndType(realm, user, name, type);
}
@Override
public boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs) {
List<CredentialInput> toValidate = new LinkedList<>();
toValidate.addAll(inputs);
if (!StorageId.isLocalStorage(user)) {
String providerId = StorageId.resolveProviderId(user);
UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, providerId);
if (provider instanceof CredentialInputValidator) {
Iterator<CredentialInput> it = toValidate.iterator();
while (it.hasNext()) {
CredentialInput input = it.next();
CredentialInputValidator validator = (CredentialInputValidator)provider;
if (validator.supportsCredentialType(input.getType()) && validator.isValid(realm, user, input)) {
it.remove();
}
}
}
}
if (toValidate.isEmpty()) return true;
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(CredentialInputValidator.class, factory, CredentialProviderFactory.class)) continue;
Iterator<CredentialInput> it = toValidate.iterator();
while (it.hasNext()) {
CredentialInput input = it.next();
CredentialInputValidator validator = (CredentialInputValidator)session.getAttribute(component.getId());
if (validator == null) {
validator = (CredentialInputValidator)factory.create(session, component);
session.setAttribute(component.getId(), validator);
}
if (validator.supportsCredentialType(input.getType()) && validator.isValid(realm, user, input)) {
it.remove();
}
}
}
return toValidate.isEmpty();
}
protected List<ComponentModel> getCredentialProviderComponents(RealmModel realm) {
List<ComponentModel> components = realm.getComponents(realm.getId(), CredentialProvider.class.getName());
if (components.isEmpty()) return components;
List<ComponentModel> copy = new LinkedList<>();
copy.addAll(components);
Collections.sort(copy, PrioritizedComponentModel.comparator);
return copy;
}
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
if (!StorageId.isLocalStorage(user)) {
String providerId = StorageId.resolveProviderId(user);
UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, providerId);
if (provider instanceof CredentialInputUpdater) {
CredentialInputUpdater updater = (CredentialInputUpdater)provider;
if (updater.supportsCredentialType(input.getType())) {
if (updater.updateCredential(realm, user, input)) return;
}
}
}
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(CredentialInputUpdater.class, factory, CredentialProviderFactory.class)) continue;
CredentialInputUpdater updater = (CredentialInputUpdater)session.getAttribute(component.getId());
if (updater == null) {
updater = (CredentialInputUpdater)factory.create(session, component);
session.setAttribute(component.getId(), updater);
}
if (!updater.supportsCredentialType(input.getType())) continue;
if (updater.updateCredential(realm, user, input)) return;
}
}
@Override
public void disableCredential(RealmModel realm, UserModel user, String credentialType) {
if (!StorageId.isLocalStorage(user)) {
String providerId = StorageId.resolveProviderId(user);
UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, providerId);
if (provider instanceof CredentialInputUpdater) {
CredentialInputUpdater updater = (CredentialInputUpdater)provider;
if (updater.supportsCredentialType(credentialType)) {
updater.disableCredentialType(realm, user, credentialType);
}
}
}
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(CredentialInputUpdater.class, factory, CredentialProviderFactory.class)) continue;
CredentialInputUpdater updater = (CredentialInputUpdater)session.getAttribute(component.getId());
if (updater == null) {
updater = (CredentialInputUpdater)factory.create(session, component);
session.setAttribute(component.getId(), updater);
}
if (!updater.supportsCredentialType(credentialType)) continue;
updater.disableCredentialType(realm, user, credentialType);
}
}
@Override
public boolean isConfiguredFor(RealmModel realm, UserModel user, String type) {
if (!StorageId.isLocalStorage(user)) {
String providerId = StorageId.resolveProviderId(user);
UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, providerId);
if (provider instanceof CredentialInputValidator) {
CredentialInputValidator validator = (CredentialInputValidator)provider;
if (validator.supportsCredentialType(type) && validator.isConfiguredFor(realm, user, type)) {
return true;
}
}
}
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(CredentialInputUpdater.class, factory, CredentialProviderFactory.class)) continue;
CredentialInputValidator validator = (CredentialInputValidator)session.getAttribute(component.getId());
if (validator == null) {
validator = (CredentialInputValidator)factory.create(session, component);
session.setAttribute(component.getId(), validator);
}
if (validator.supportsCredentialType(type) && validator.isConfiguredFor(realm, user, type)) {
return true;
}
}
return false;
}
@Override
public void onCache(RealmModel realm, CachedUserModel user) {
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(OnUserCache.class, factory, CredentialProviderFactory.class)) continue;
OnUserCache validator = (OnUserCache)session.getAttribute(component.getId());
if (validator == null) {
validator = (OnUserCache)factory.create(session, component);
session.setAttribute(component.getId(), validator);
}
validator.onCache(realm, user);
}
}
@Override
public void close() {
}
}

19
services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java
View file

@ -16,9 +16,11 @@
*/ */
package org.keycloak.services; package org.keycloak.services;
import org.keycloak.credential.UserCredentialStore;
import org.keycloak.credential.UserCredentialStoreManager;
import org.keycloak.models.*; import org.keycloak.models.*;
import org.keycloak.models.cache.CacheRealmProvider; import org.keycloak.models.cache.CacheRealmProvider;
import org.keycloak.models.cache.CacheUserProvider; import org.keycloak.models.cache.UserCache;
import org.keycloak.provider.Provider; import org.keycloak.provider.Provider;
import org.keycloak.provider.ProviderFactory; import org.keycloak.provider.ProviderFactory;
import org.keycloak.scripting.ScriptingProvider; import org.keycloak.scripting.ScriptingProvider;
@ -40,6 +42,7 @@ public class DefaultKeycloakSession implements KeycloakSession {
private RealmProvider model; private RealmProvider model;
private UserProvider userModel; private UserProvider userModel;
private UserStorageManager userStorageManager; private UserStorageManager userStorageManager;
private UserCredentialStoreManager userCredentialStorageManager;
private ScriptingProvider scriptingProvider; private ScriptingProvider scriptingProvider;
private UserSessionProvider sessionProvider; private UserSessionProvider sessionProvider;
private UserFederationManager federationManager; private UserFederationManager federationManager;
@ -68,7 +71,7 @@ public class DefaultKeycloakSession implements KeycloakSession {
} }
private UserProvider getUserProvider() { private UserProvider getUserProvider() {
CacheUserProvider cache = getProvider(CacheUserProvider.class); UserCache cache = getProvider(UserCache.class);
if (cache != null) { if (cache != null) {
return cache; return cache;
} else { } else {
@ -76,6 +79,12 @@ public class DefaultKeycloakSession implements KeycloakSession {
} }
} }
@Override
public UserCache getUserCache() {
return getProvider(UserCache.class);
}
@Override @Override
public void enlistForClose(Provider provider) { public void enlistForClose(Provider provider) {
closable.add(provider); closable.add(provider);
@ -125,6 +134,12 @@ public class DefaultKeycloakSession implements KeycloakSession {
return userStorageManager; return userStorageManager;
} }
@Override
public UserCredentialManager userCredentialManager() {
if (userCredentialStorageManager == null) userCredentialStorageManager = new UserCredentialStoreManager(this);
return userCredentialStorageManager;
}
@Override @Override
public UserProvider userStorage() { public UserProvider userStorage() {
if (userModel == null) { if (userModel == null) {

10
services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
View file

@ -34,8 +34,6 @@ import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType; import org.keycloak.events.admin.ResourceType;
import org.keycloak.exportimport.ClientDescriptionConverter; import org.keycloak.exportimport.ClientDescriptionConverter;
import org.keycloak.exportimport.ClientDescriptionConverterFactory; import org.keycloak.exportimport.ClientDescriptionConverterFactory;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel; import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
@ -44,7 +42,7 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.UserFederationProviderModel; import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.models.cache.CacheRealmProvider; import org.keycloak.models.cache.CacheRealmProvider;
import org.keycloak.models.cache.CacheUserProvider; import org.keycloak.models.cache.UserCache;
import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation; import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel; import org.keycloak.models.utils.RepresentationToModel;
@ -55,7 +53,6 @@ import org.keycloak.representations.idm.AdminEventRepresentation;
import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation; import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.GroupRepresentation; import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.PartialImportRepresentation; import org.keycloak.representations.idm.PartialImportRepresentation;
import org.keycloak.representations.idm.RealmEventsConfigRepresentation; import org.keycloak.representations.idm.RealmEventsConfigRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
@ -67,7 +64,6 @@ import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.UsersSyncManager; import org.keycloak.services.managers.UsersSyncManager;
import org.keycloak.services.ErrorResponse; import org.keycloak.services.ErrorResponse;
import org.keycloak.services.resources.admin.RealmAuth.Resource; import org.keycloak.services.resources.admin.RealmAuth.Resource;
import org.keycloak.timer.TimerProvider;
import javax.ws.rs.Consumes; import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE; import javax.ws.rs.DELETE;
@ -85,8 +81,6 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status; import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.UriInfo; import javax.ws.rs.core.UriInfo;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.text.ParseException; import java.text.ParseException;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
@ -866,7 +860,7 @@ public class RealmAdminResource {
public void clearUserCache() { public void clearUserCache() {
auth.requireManage(); auth.requireManage();
CacheUserProvider cache = session.getProvider(CacheUserProvider.class); UserCache cache = session.getProvider(UserCache.class);
if (cache != null) { if (cache != null) {
cache.clear(); cache.clear();
} }

211
server-spi/src/main/java/org/keycloak/storage/UserStorageManager.java → services/src/main/java/org/keycloak/storage/UserStorageManager.java
View file

@ -20,12 +20,6 @@ package org.keycloak.storage;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.common.util.reflections.Types; import org.keycloak.common.util.reflections.Types;
import org.keycloak.component.ComponentModel; import org.keycloak.component.ComponentModel;
import org.keycloak.component.PrioritizedComponentModel;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialInputUpdater;
import org.keycloak.credential.CredentialInputValidator;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.CredentialProviderFactory;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.CredentialValidationOutput; import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.FederatedIdentityModel;
@ -36,6 +30,8 @@ import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel; import org.keycloak.models.RoleModel;
import org.keycloak.models.UserConsentModel; import org.keycloak.models.UserConsentModel;
import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.OnUserCache;
import org.keycloak.storage.user.UserCredentialAuthenticationProvider; import org.keycloak.storage.user.UserCredentialAuthenticationProvider;
import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserCredentialModel;
import org.keycloak.storage.user.UserCredentialValidatorProvider; import org.keycloak.storage.user.UserCredentialValidatorProvider;
@ -62,7 +58,7 @@ import java.util.Set;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class UserStorageManager implements UserProvider { public class UserStorageManager implements UserProvider, OnUserCache {
private static final Logger logger = Logger.getLogger(UserStorageManager.class); private static final Logger logger = Logger.getLogger(UserStorageManager.class);
@ -76,22 +72,22 @@ public class UserStorageManager implements UserProvider {
return session.userLocalStorage(); return session.userLocalStorage();
} }
protected List<UserStorageProviderModel> getStorageProviders(RealmModel realm) { public static List<UserStorageProviderModel> getStorageProviders(RealmModel realm) {
return realm.getUserStorageProviders(); return realm.getUserStorageProviders();
} }
protected <T> T getFirstStorageProvider(RealmModel realm, Class<T> type) { public static <T> T getFirstStorageProvider(KeycloakSession session, RealmModel realm, Class<T> type) {
for (UserStorageProviderModel model : getStorageProviders(realm)) { for (UserStorageProviderModel model : getStorageProviders(realm)) {
UserStorageProviderFactory factory = (UserStorageProviderFactory)session.getKeycloakSessionFactory().getProviderFactory(UserStorageProvider.class, model.getProviderId()); UserStorageProviderFactory factory = (UserStorageProviderFactory)session.getKeycloakSessionFactory().getProviderFactory(UserStorageProvider.class, model.getProviderId());
if (Types.supports(type, factory, UserStorageProviderFactory.class)) { if (Types.supports(type, factory, UserStorageProviderFactory.class)) {
return type.cast(getStorageProviderInstance(model, factory)); return type.cast(getStorageProviderInstance(session, model, factory));
} }
} }
return null; return null;
} }
protected UserStorageProvider getStorageProviderInstance(UserStorageProviderModel model, UserStorageProviderFactory factory) { public static UserStorageProvider getStorageProviderInstance(KeycloakSession session, UserStorageProviderModel model, UserStorageProviderFactory factory) {
UserStorageProvider instance = (UserStorageProvider)session.getAttribute(model.getId()); UserStorageProvider instance = (UserStorageProvider)session.getAttribute(model.getId());
if (instance != null) return instance; if (instance != null) return instance;
instance = factory.create(session, model); instance = factory.create(session, model);
@ -101,12 +97,12 @@ public class UserStorageManager implements UserProvider {
} }
protected <T> List<T> getStorageProviders(RealmModel realm, Class<T> type) { public static <T> List<T> getStorageProviders(KeycloakSession session, RealmModel realm, Class<T> type) {
List<T> list = new LinkedList<>(); List<T> list = new LinkedList<>();
for (UserStorageProviderModel model : getStorageProviders(realm)) { for (UserStorageProviderModel model : getStorageProviders(realm)) {
UserStorageProviderFactory factory = (UserStorageProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(UserStorageProvider.class, model.getProviderId()); UserStorageProviderFactory factory = (UserStorageProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(UserStorageProvider.class, model.getProviderId());
if (Types.supports(type, factory, UserStorageProviderFactory.class)) { if (Types.supports(type, factory, UserStorageProviderFactory.class)) {
list.add(type.cast(getStorageProviderInstance(model, factory))); list.add(type.cast(getStorageProviderInstance(session, model, factory)));
} }
@ -122,21 +118,21 @@ public class UserStorageManager implements UserProvider {
@Override @Override
public UserModel addUser(RealmModel realm, String username) { public UserModel addUser(RealmModel realm, String username) {
UserRegistrationProvider registry = getFirstStorageProvider(realm, UserRegistrationProvider.class); UserRegistrationProvider registry = getFirstStorageProvider(session, realm, UserRegistrationProvider.class);
if (registry != null) { if (registry != null) {
return registry.addUser(realm, username); return registry.addUser(realm, username);
} }
return localStorage().addUser(realm, username.toLowerCase()); return localStorage().addUser(realm, username.toLowerCase());
} }
public UserStorageProvider getStorageProvider(RealmModel realm, String componentId) { public static UserStorageProvider getStorageProvider(KeycloakSession session, RealmModel realm, String componentId) {
ComponentModel model = realm.getComponent(componentId); ComponentModel model = realm.getComponent(componentId);
if (model == null) return null; if (model == null) return null;
UserStorageProviderFactory factory = (UserStorageProviderFactory)session.getKeycloakSessionFactory().getProviderFactory(UserStorageProvider.class, model.getProviderId()); UserStorageProviderFactory factory = (UserStorageProviderFactory)session.getKeycloakSessionFactory().getProviderFactory(UserStorageProvider.class, model.getProviderId());
if (factory == null) { if (factory == null) {
throw new ModelException("Could not find UserStorageProviderFactory for: " + model.getProviderId()); throw new ModelException("Could not find UserStorageProviderFactory for: " + model.getProviderId());
} }
return getStorageProviderInstance(new UserStorageProviderModel(model), factory); return getStorageProviderInstance(session, new UserStorageProviderModel(model), factory);
} }
@Override @Override
@ -146,7 +142,7 @@ public class UserStorageManager implements UserProvider {
if (storageId.getProviderId() == null) { if (storageId.getProviderId() == null) {
return localStorage().removeUser(realm, user); return localStorage().removeUser(realm, user);
} }
UserRegistrationProvider registry = (UserRegistrationProvider)getStorageProvider(realm, storageId.getProviderId()); UserRegistrationProvider registry = (UserRegistrationProvider)getStorageProvider(session, realm, storageId.getProviderId());
if (registry == null) { if (registry == null) {
throw new ModelException("Could not resolve StorageProvider: " + storageId.getProviderId()); throw new ModelException("Could not resolve StorageProvider: " + storageId.getProviderId());
} }
@ -239,7 +235,7 @@ public class UserStorageManager implements UserProvider {
if (storageId.getProviderId() == null) { if (storageId.getProviderId() == null) {
return localStorage().getUserById(id, realm); return localStorage().getUserById(id, realm);
} }
UserLookupProvider provider = (UserLookupProvider)getStorageProvider(realm, storageId.getProviderId()); UserLookupProvider provider = (UserLookupProvider)getStorageProvider(session, realm, storageId.getProviderId());
return provider.getUserById(id, realm); return provider.getUserById(id, realm);
} }
@ -252,7 +248,7 @@ public class UserStorageManager implements UserProvider {
public UserModel getUserByUsername(String username, RealmModel realm) { public UserModel getUserByUsername(String username, RealmModel realm) {
UserModel user = localStorage().getUserByUsername(username, realm); UserModel user = localStorage().getUserByUsername(username, realm);
if (user != null) return user; if (user != null) return user;
for (UserLookupProvider provider : getStorageProviders(realm, UserLookupProvider.class)) { for (UserLookupProvider provider : getStorageProviders(session, realm, UserLookupProvider.class)) {
user = provider.getUserByUsername(username, realm); user = provider.getUserByUsername(username, realm);
if (user != null) return user; if (user != null) return user;
} }
@ -263,7 +259,7 @@ public class UserStorageManager implements UserProvider {
public UserModel getUserByEmail(String email, RealmModel realm) { public UserModel getUserByEmail(String email, RealmModel realm) {
UserModel user = localStorage().getUserByEmail(email, realm); UserModel user = localStorage().getUserByEmail(email, realm);
if (user != null) return user; if (user != null) return user;
for (UserLookupProvider provider : getStorageProviders(realm, UserLookupProvider.class)) { for (UserLookupProvider provider : getStorageProviders(session, realm, UserLookupProvider.class)) {
user = provider.getUserByEmail(email, realm); user = provider.getUserByEmail(email, realm);
if (user != null) return user; if (user != null) return user;
} }
@ -305,7 +301,7 @@ public class UserStorageManager implements UserProvider {
@Override @Override
public int getUsersCount(RealmModel realm) { public int getUsersCount(RealmModel realm) {
int size = localStorage().getUsersCount(realm); int size = localStorage().getUsersCount(realm);
for (UserQueryProvider provider : getStorageProviders(realm, UserQueryProvider.class)) { for (UserQueryProvider provider : getStorageProviders(session, realm, UserQueryProvider.class)) {
size += provider.getUsersCount(realm); size += provider.getUsersCount(realm);
} }
return size; return size;
@ -321,7 +317,7 @@ public class UserStorageManager implements UserProvider {
List<UserQueryProvider> storageProviders = getStorageProviders(realm, UserQueryProvider.class); List<UserQueryProvider> storageProviders = getStorageProviders(session, realm, UserQueryProvider.class);
// we can skip rest of method if there are no storage providers // we can skip rest of method if there are no storage providers
if (storageProviders.isEmpty()) { if (storageProviders.isEmpty()) {
return pagedQuery.query(localStorage(), firstResult, maxResults); return pagedQuery.query(localStorage(), firstResult, maxResults);
@ -453,7 +449,7 @@ public class UserStorageManager implements UserProvider {
@Override @Override
public void grantToAllUsers(RealmModel realm, RoleModel role) { public void grantToAllUsers(RealmModel realm, RoleModel role) {
// not federation-aware for now // not federation-aware for now
List<UserRegistrationProvider> storageProviders = getStorageProviders(realm, UserRegistrationProvider.class); List<UserRegistrationProvider> storageProviders = getStorageProviders(session, realm, UserRegistrationProvider.class);
LinkedList<UserRegistrationProvider> providers = new LinkedList<>(); LinkedList<UserRegistrationProvider> providers = new LinkedList<>();
providers.add(localStorage()); providers.add(localStorage());
providers.addAll(storageProviders); providers.addAll(storageProviders);
@ -488,7 +484,7 @@ public class UserStorageManager implements UserProvider {
public void preRemove(RealmModel realm) { public void preRemove(RealmModel realm) {
localStorage().preRemove(realm); localStorage().preRemove(realm);
getFederatedStorage().preRemove(realm); getFederatedStorage().preRemove(realm);
for (UserStorageProvider provider : getStorageProviders(realm, UserStorageProvider.class)) { for (UserStorageProvider provider : getStorageProviders(session, realm, UserStorageProvider.class)) {
provider.preRemove(realm); provider.preRemove(realm);
} }
} }
@ -503,7 +499,7 @@ public class UserStorageManager implements UserProvider {
public void preRemove(RealmModel realm, GroupModel group) { public void preRemove(RealmModel realm, GroupModel group) {
localStorage().preRemove(realm, group); localStorage().preRemove(realm, group);
getFederatedStorage().preRemove(realm, group); getFederatedStorage().preRemove(realm, group);
for (UserStorageProvider provider : getStorageProviders(realm, UserStorageProvider.class)) { for (UserStorageProvider provider : getStorageProviders(session, realm, UserStorageProvider.class)) {
provider.preRemove(realm, group); provider.preRemove(realm, group);
} }
} }
@ -512,7 +508,7 @@ public class UserStorageManager implements UserProvider {
public void preRemove(RealmModel realm, RoleModel role) { public void preRemove(RealmModel realm, RoleModel role) {
localStorage().preRemove(realm, role); localStorage().preRemove(realm, role);
getFederatedStorage().preRemove(realm, role); getFederatedStorage().preRemove(realm, role);
for (UserStorageProvider provider : getStorageProviders(realm, UserStorageProvider.class)) { for (UserStorageProvider provider : getStorageProviders(session, realm, UserStorageProvider.class)) {
provider.preRemove(realm, role); provider.preRemove(realm, role);
} }
} }
@ -564,7 +560,7 @@ public class UserStorageManager implements UserProvider {
if (toValidate.isEmpty()) return true; if (toValidate.isEmpty()) return true;
UserStorageProvider provider = getStorageProvider(realm, StorageId.resolveProviderId(user)); UserStorageProvider provider = getStorageProvider(session, realm, StorageId.resolveProviderId(user));
if (!(provider instanceof UserCredentialValidatorProvider)) { if (!(provider instanceof UserCredentialValidatorProvider)) {
return false; return false;
} }
@ -578,7 +574,7 @@ public class UserStorageManager implements UserProvider {
@Override @Override
public CredentialValidationOutput validCredentials(KeycloakSession session, RealmModel realm, UserCredentialModel... input) { public CredentialValidationOutput validCredentials(KeycloakSession session, RealmModel realm, UserCredentialModel... input) {
List<UserCredentialAuthenticationProvider> providers = getStorageProviders(realm, UserCredentialAuthenticationProvider.class); List<UserCredentialAuthenticationProvider> providers = getStorageProviders(session, realm, UserCredentialAuthenticationProvider.class);
if (providers.isEmpty()) return CredentialValidationOutput.failed(); if (providers.isEmpty()) return CredentialValidationOutput.failed();
CredentialValidationOutput result = null; CredentialValidationOutput result = null;
@ -612,154 +608,23 @@ public class UserStorageManager implements UserProvider {
} }
@Override
public void onCache(RealmModel realm, CachedUserModel user) {
if (StorageId.isLocalStorage(user)) {
if (session.userLocalStorage() instanceof OnUserCache) {
((OnUserCache)session.userLocalStorage()).onCache(realm, user);
}
} else {
Object provider = getStorageProvider(session, realm, StorageId.resolveProviderId(user));
if (provider != null && provider instanceof OnUserCache) {
((OnUserCache)provider).onCache(realm, user);
}
}
}
@Override @Override
public void close() { public void close() {
} }
@Override
public boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs) {
List<CredentialInput> toValidate = new LinkedList<>();
toValidate.addAll(inputs);
if (!StorageId.isLocalStorage(user)) {
String providerId = StorageId.resolveProviderId(user);
UserStorageProvider provider = getStorageProvider(realm, providerId);
if (provider instanceof CredentialInputValidator) {
Iterator<CredentialInput> it = toValidate.iterator();
while (it.hasNext()) {
CredentialInput input = it.next();
CredentialInputValidator validator = (CredentialInputValidator)provider;
if (validator.supportsCredentialType(input.getType()) && validator.isValid(realm, user, input)) {
it.remove();
}
}
}
}
if (toValidate.isEmpty()) return true;
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(CredentialInputValidator.class, factory, CredentialProviderFactory.class)) continue;
Iterator<CredentialInput> it = toValidate.iterator();
while (it.hasNext()) {
CredentialInput input = it.next();
CredentialInputValidator validator = (CredentialInputValidator)session.getAttribute(component.getId());
if (validator == null) {
validator = (CredentialInputValidator)factory.create(session, component);
session.setAttribute(component.getId(), validator);
}
if (validator.supportsCredentialType(input.getType()) && validator.isValid(realm, user, input)) {
it.remove();
}
}
}
return toValidate.isEmpty();
}
protected List<ComponentModel> getCredentialProviderComponents(RealmModel realm) {
List<ComponentModel> components = realm.getComponents(realm.getId(), CredentialProvider.class.getName());
Collections.sort(components, PrioritizedComponentModel.comparator);
return components;
}
@Override
public void updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
if (!StorageId.isLocalStorage(user)) {
String providerId = StorageId.resolveProviderId(user);
UserStorageProvider provider = getStorageProvider(realm, providerId);
if (provider instanceof CredentialInputUpdater) {
CredentialInputUpdater updater = (CredentialInputUpdater)provider;
if (updater.supportsCredentialType(input.getType())) {
updater.updateCredential(realm, user, input);
return;
}
}
}
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(CredentialInputUpdater.class, factory, CredentialProviderFactory.class)) continue;
CredentialInputUpdater updater = (CredentialInputUpdater)session.getAttribute(component.getId());
if (updater == null) {
updater = (CredentialInputUpdater)factory.create(session, component);
session.setAttribute(component.getId(), updater);
}
if (!updater.supportsCredentialType(input.getType())) continue;
updater.updateCredential(realm, user, input);
return;
}
}
@Override
public boolean isConfiguredFor(RealmModel realm, UserModel user, String type) {
if (!StorageId.isLocalStorage(user)) {
String providerId = StorageId.resolveProviderId(user);
UserStorageProvider provider = getStorageProvider(realm, providerId);
if (provider instanceof CredentialInputValidator) {
CredentialInputValidator validator = (CredentialInputValidator)provider;
if (validator.supportsCredentialType(type) && validator.isConfiguredFor(realm, user, type)) {
return true;
}
}
}
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(CredentialInputUpdater.class, factory, CredentialProviderFactory.class)) continue;
CredentialInputValidator validator = (CredentialInputValidator)session.getAttribute(component.getId());
if (validator == null) {
validator = (CredentialInputValidator)factory.create(session, component);
session.setAttribute(component.getId(), validator);
}
if (validator.supportsCredentialType(type) && validator.isConfiguredFor(realm, user, type)) {
return true;
}
}
return false;
}
@Override
public Set<String> requiredActionsFor(RealmModel realm, UserModel user, String type) {
Set<String> requiredActionsFor = Collections.EMPTY_SET;
if (!StorageId.isLocalStorage(user)) {
String providerId = StorageId.resolveProviderId(user);
UserStorageProvider provider = getStorageProvider(realm, providerId);
if (provider instanceof CredentialInputUpdater) {
CredentialInputUpdater updater = (CredentialInputUpdater)provider;
if (updater.supportsCredentialType(type)) {
requiredActionsFor = updater.requiredActionsFor(realm, user, type);
if (!requiredActionsFor.isEmpty()) {
return requiredActionsFor;
}
}
}
}
List<ComponentModel> components = getCredentialProviderComponents(realm);
for (ComponentModel component : components) {
CredentialProviderFactory factory = (CredentialProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CredentialProvider.class, component.getProviderId());
if (!Types.supports(CredentialInputUpdater.class, factory, CredentialProviderFactory.class)) continue;
CredentialInputUpdater updater = (CredentialInputUpdater)session.getAttribute(component.getId());
if (updater == null) {
updater = (CredentialInputUpdater)factory.create(session, component);
session.setAttribute(component.getId(), updater);
}
if (updater.supportsCredentialType(type)) {
requiredActionsFor = updater.requiredActionsFor(realm, user, type);
if (!requiredActionsFor.isEmpty()) {
return requiredActionsFor;
}
}
}
return requiredActionsFor;
}
} }