Merge pull request #312 from mposolda/ldap

Refactoring of AuthenticationProvider SPI. Add Ldap settings into admin console
This commit is contained in:
Bill Burke 2014-04-02 11:37:11 -04:00
commit 7d7b9e5b73
40 changed files with 404 additions and 462 deletions

View file

@ -129,7 +129,7 @@ module.config([ '$routeProvider', function($routeProvider) {
return RealmLoader();
}
},
controller : 'RealmSMTPSettingsCtrl'
controller : 'RealmLdapSettingsCtrl'
})
.when('/create/user/:realm', {
templateUrl : 'partials/user-detail.html',

View file

@ -886,3 +886,32 @@ module.controller('RealmSMTPSettingsCtrl', function($scope, Current, Realm, real
return obj;
}
});
module.controller('RealmLdapSettingsCtrl', function($scope, Realm, realm, $location, Notifications) {
console.log('RealmLdapSettingsCtrl');
$scope.realm = realm;
var oldCopy = angular.copy($scope.realm);
$scope.changed = false;
$scope.$watch('realm', function() {
if (!angular.equals($scope.realm, oldCopy)) {
$scope.changed = true;
}
}, true);
$scope.save = function() {
var realmCopy = angular.copy($scope.realm);
$scope.changed = false;
Realm.update(realmCopy, function () {
$location.url("/realms/" + realm.realm + "/ldap-settings");
Notifications.success("Your changes have been saved to the realm.");
});
};
$scope.reset = function() {
$scope.realm = angular.copy(oldCopy);
$scope.changed = false;
};
});

View file

@ -7,60 +7,39 @@
<li><a href="#/realms/{{realm.realm}}">Settings</a></li>
<li class="active">Ldap Configuration</li>
</ol>
<h2><span>{{realm.realm}}</span> Email Server Settings</h2>
<h2><span>{{realm.realm}}</span> Ldap Server Settings</h2>
<form class="form-horizontal" name="realmForm" novalidate kc-read-only="!access.manageRealm">
<span class="fieldset-notice"><span class="required">*</span> Required fields</span>
<fieldset>
<legend><span class="text">Required Settings</span></legend>
<div class="form-group clearfix">
<label class="col-sm-2 control-label" for="smtpHost">Host <span class="required">*</span></label>
<label class="col-sm-2 control-label" for="ldapConnectionUrl">Connection URL <span class="required">*</span></label>
<div class="col-sm-4">
<input class="form-control" id="smtpHost" type="text" ng-model="realm.smtpServer.host" placeholder="SMTP Host" required>
<input class="form-control" id="ldapConnectionUrl" type="text" ng-model="realm.ldapServer.connectionUrl" placeholder="LDAP connection URL" required>
</div>
</div>
<div class="form-group clearfix">
<label class="col-sm-2 control-label" for="smtpPort">Port <span class="required">*</span></label>
<label class="col-sm-2 control-label" for="ldapBaseDn">Base DN <span class="required">*</span></label>
<div class="col-sm-4">
<input class="form-control" id="smtpPort" type="number" ng-model="realm.smtpServer.port" placeholder="SMTP Port (defaults to 25)" required>
<input class="form-control" id="ldapBaseDn" type="text" ng-model="realm.ldapServer.baseDn" placeholder="LDAP Base DN" required>
</div>
</div>
<div class="form-group clearfix">
<label class="col-sm-2 control-label" for="smtpFrom">From <span class="required">*</span></label>
<label class="col-sm-2 control-label" for="ldapUserDnSuffix">User DN Suffix <span class="required">*</span></label>
<div class="col-sm-4">
<input class="form-control" id="smtpFrom" type="email" ng-model="realm.smtpServer.from" placeholder="Sender Email Address" required>
<input class="form-control" id="ldapUserDnSuffix" type="text" ng-model="realm.ldapServer.userDnSuffix" placeholder="LDAP User DN Suffix" required>
</div>
</div>
<div class="form-group clearfix">
<label class="col-sm-2 control-label" for="smtpSSL">Enable SSL</label>
<label class="col-sm-2 control-label" for="ldapBindDn">Bind DN <span class="required">*</span></label>
<div class="col-sm-4">
<input ng-model="realm.smtpServer.ssl" name="smtpSSL" id="smtpSSL" onoffswitch />
<input class="form-control" id="ldapBindDn" type="text" ng-model="realm.ldapServer.bindDn" placeholder="LDAP Bind DN" required>
</div>
</div>
<div class="form-group clearfix">
<label class="col-sm-2 control-label" for="smtpStartTLS">Enable StartTLS</label>
<label class="col-sm-2 control-label" for="ldapBindCredential">Bind Credential <span class="required">*</span></label>
<div class="col-sm-4">
<input ng-model="realm.smtpServer.starttls" name="smtpStartTLS" id="smtpStartTLS" onoffswitch />
</div>
</div>
</fieldset>
<fieldset>
<legend><span class="text">Authentication</span></legend>
<div class="form-group clearfix">
<label class="col-sm-2 control-label" for="smtpAuth">Enable Authentication</label>
<div class="col-sm-4">
<input ng-model="realm.smtpServer.auth" name="smtpAuth" id="smtpAuth" onoffswitch />
</div>
</div>
<div class="form-group clearfix" data-ng-show="realm.smtpServer.auth">
<label class="col-sm-2 control-label" for="smtpUsername">Username <span class="required" ng-show="realm.smtpServer.auth">*</span></label>
<div class="col-sm-4">
<input class="form-control" id="smtpUsername" type="text" ng-model="realm.smtpServer.user" placeholder="Login Username" ng-disabled="!realm.smtpServer.auth" ng-required="realm.smtpServer.auth">
</div>
</div>
<div class="form-group clearfix" data-ng-show="realm.smtpServer.auth">
<label class="col-sm-2 control-label" for="smtpPassword">Password <span class="required" ng-show="realm.smtpServer.auth">*</span></label>
<div class="col-sm-4">
<input class="form-control" id="smtpPassword" type="password" ng-model="realm.smtpServer.password" placeholder="Login Password" ng-disabled="!realm.smtpServer.auth" ng-required="realm.smtpServer.auth">
<input class="form-control" id="ldapBindCredential" type="text" ng-model="realm.ldapServer.bindCredential" placeholder="LDAP Bind Credentials" required>
</div>
</div>
</fieldset>

View file

@ -1,7 +1,7 @@
<ul data-ng-hide="createRealm">
<li data-ng-show="access.viewRealm" data-ng-class="((!path[2] || path[1] == 'role' || path[2] == 'roles' || path[2] == 'token-settings' ||
path[2] == 'social-settings' || path[2] == 'required-credentials' || path[2] == 'default-roles' || path[2] == 'registration-settings' ||
path[2] == 'keys-settings' || path[2] == 'smtp-settings') && path[3] != 'applications') && 'active'"><a href="#/realms/{{realm.realm}}">Settings</a></li>
path[2] == 'keys-settings' || path[2] == 'smtp-settings' || path[2] == 'ldap-settings') && path[3] != 'applications') && 'active'"><a href="#/realms/{{realm.realm}}">Settings</a></li>
<li data-ng-show="access.viewUsers" data-ng-class="(path[2] == 'users' || path[1] == 'user') && 'active'"><a href="#/realms/{{realm.realm}}/users">Users</a>
</li>
<li data-ng-show="access.viewApplications" data-ng-class="(path[2] == 'applications' || path[1] == 'application' || path[3] == 'applications') && 'active'"><a href="#/realms/{{realm.realm}}/applications">Applications</a></li>

View file

@ -7,4 +7,5 @@
<li ng-class="{active: path[2] == 'token-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/token-settings">Token</a></li>
<li ng-class="{active: path[2] == 'keys-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/keys-settings">Keys</a></li>
<li ng-class="{active: path[2] == 'smtp-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/smtp-settings">Email</a></li>
<li ng-class="{active: path[2] == 'ldap-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/ldap-settings">Ldap</a></li>
</ul>

View file

@ -1,39 +0,0 @@
package org.keycloak.representations.idm;
import java.util.List;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class AuthenticationMappingRepresentation {
protected String self; // link
protected String username;
protected List<AuthenticationLinkRepresentation> authenticationLinks;
public String getSelf() {
return self;
}
public void setSelf(String self) {
this.self = self;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public List<AuthenticationLinkRepresentation> getAuthenticationLinks() {
return authenticationLinks;
}
public void setAuthenticationLinks(List<AuthenticationLinkRepresentation> authenticationLinks) {
this.authenticationLinks = authenticationLinks;
}
}

View file

@ -39,7 +39,6 @@ public class RealmRepresentation {
protected Map<String, List<UserRoleMappingRepresentation>> applicationRoleMappings;
protected Map<String, List<ScopeMappingRepresentation>> applicationScopeMappings;
protected List<SocialMappingRepresentation> socialMappings;
protected List<AuthenticationMappingRepresentation> authenticationMappings;
protected List<ApplicationRepresentation> applications;
protected List<OAuthClientRepresentation> oauthClients;
protected Map<String, String> socialProviders;
@ -181,18 +180,6 @@ public class RealmRepresentation {
return mapping;
}
public List<AuthenticationMappingRepresentation> getAuthenticationMappings() {
return authenticationMappings;
}
public AuthenticationMappingRepresentation authenticationMapping(String username) {
AuthenticationMappingRepresentation mapping = new AuthenticationMappingRepresentation();
mapping.setUsername(username);
if (authenticationMappings == null) authenticationMappings = new ArrayList<AuthenticationMappingRepresentation>();
authenticationMappings.add(mapping);
return mapping;
}
public Set<String> getRequiredCredentials() {
return requiredCredentials;
}

View file

@ -20,6 +20,7 @@ public class UserRepresentation {
protected String firstName;
protected String lastName;
protected String email;
protected AuthenticationLinkRepresentation authenticationLink;
protected Map<String, String> attributes;
protected List<CredentialRepresentation> credentials;
protected List<String> requiredActions;
@ -96,6 +97,14 @@ public class UserRepresentation {
this.emailVerified = emailVerified;
}
public AuthenticationLinkRepresentation getAuthenticationLink() {
return authenticationLink;
}
public void setAuthenticationLink(AuthenticationLinkRepresentation authenticationLink) {
this.authenticationLink = authenticationLink;
}
public Map<String, String> getAttributes() {
return attributes;
}

View file

@ -1,5 +1,6 @@
package org.keycloak.models;
import java.util.Collections;
import java.util.Map;
/**
@ -7,6 +8,8 @@ import java.util.Map;
*/
public class AuthenticationProviderModel {
public static final AuthenticationProviderModel DEFAULT_PROVIDER = new AuthenticationProviderModel("model", true, Collections.EMPTY_MAP);
private String providerName;
private boolean passwordUpdateSupported = true;
private Map<String, String> config;

View file

@ -134,11 +134,9 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
boolean removeSocialLink(UserModel user, String socialProvider);
UserModel getUserByAuthenticationLink(AuthenticationLinkModel authenticationLink);
AuthenticationLinkModel getAuthenticationLink(UserModel user);
Set<AuthenticationLinkModel> getAuthenticationLinks(UserModel user);
void addAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink);
void setAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink);
boolean isSocial();

View file

@ -38,6 +38,8 @@ import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
@ -393,7 +395,9 @@ public class RealmAdapter implements RealmModel {
private void removeUser(UserEntity user) {
em.createQuery("delete from " + UserRoleMappingEntity.class.getSimpleName() + " where user = :user").setParameter("user", user).executeUpdate();
em.createQuery("delete from " + SocialLinkEntity.class.getSimpleName() + " where user = :user").setParameter("user", user).executeUpdate();
em.createQuery("delete from " + AuthenticationLinkEntity.class.getSimpleName() + " where user = :user").setParameter("user", user).executeUpdate();
if (user.getAuthenticationLink() != null) {
em.remove(user.getAuthenticationLink());
}
em.remove(user);
}
@ -612,43 +616,22 @@ public class RealmAdapter implements RealmModel {
}
@Override
public UserModel getUserByAuthenticationLink(AuthenticationLinkModel authenticationLink) {
TypedQuery<UserEntity> query = em.createNamedQuery("findUserByAuthLinkAndRealm", UserEntity.class);
query.setParameter("realm", realm);
query.setParameter("authProvider", authenticationLink.getAuthProvider());
query.setParameter("authUserId", authenticationLink.getAuthUserId());
List<UserEntity> results = query.getResultList();
if (results.isEmpty()) {
return null;
} else if (results.size() > 1) {
throw new IllegalStateException("More results found for authenticationProvider=" + authenticationLink.getAuthProvider() +
", authUserId=" + authenticationLink.getAuthUserId() + ", results=" + results);
} else {
UserEntity user = results.get(0);
return new UserAdapter(user);
}
public AuthenticationLinkModel getAuthenticationLink(UserModel user) {
UserEntity userEntity = ((UserAdapter) user).getUser();
AuthenticationLinkEntity authLinkEntity = userEntity.getAuthenticationLink();
return authLinkEntity == null ? null : new AuthenticationLinkModel(authLinkEntity.getAuthProvider(), authLinkEntity.getAuthUserId());
}
@Override
public Set<AuthenticationLinkModel> getAuthenticationLinks(UserModel user) {
TypedQuery<AuthenticationLinkEntity> query = em.createNamedQuery("findAuthLinkByUser", AuthenticationLinkEntity.class);
query.setParameter("user", ((UserAdapter) user).getUser());
List<AuthenticationLinkEntity> results = query.getResultList();
Set<AuthenticationLinkModel> set = new HashSet<AuthenticationLinkModel>();
for (AuthenticationLinkEntity entity : results) {
set.add(new AuthenticationLinkModel(entity.getAuthProvider(), entity.getAuthUserId()));
}
return set;
}
@Override
public void addAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink) {
public void setAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink) {
AuthenticationLinkEntity entity = new AuthenticationLinkEntity();
entity.setRealm(realm);
entity.setAuthProvider(authenticationLink.getAuthProvider());
entity.setAuthUserId(authenticationLink.getAuthUserId());
entity.setUser(((UserAdapter) user).getUser());
UserEntity userEntity = ((UserAdapter) user).getUser();
userEntity.setAuthenticationLink(entity);
em.persist(entity);
em.persist(userEntity);
em.flush();
}
@ -814,7 +797,15 @@ public class RealmAdapter implements RealmModel {
@Override
public List<AuthenticationProviderModel> getAuthenticationProviders() {
Collection<AuthenticationProviderEntity> entities = realm.getAuthenticationProviders();
List<AuthenticationProviderEntity> entities = realm.getAuthenticationProviders();
Collections.sort(entities, new Comparator<AuthenticationProviderEntity>() {
@Override
public int compare(AuthenticationProviderEntity o1, AuthenticationProviderEntity o2) {
return o1.getPriority() - o2.getPriority();
}
});
List<AuthenticationProviderModel> result = new ArrayList<AuthenticationProviderModel>();
for (AuthenticationProviderEntity entity : entities) {
result.add(new AuthenticationProviderModel(entity.getProviderName(), entity.isPasswordUpdateSupported(), entity.getConfig()));
@ -826,11 +817,13 @@ public class RealmAdapter implements RealmModel {
@Override
public void setAuthenticationProviders(List<AuthenticationProviderModel> authenticationProviders) {
List<AuthenticationProviderEntity> newEntities = new ArrayList<AuthenticationProviderEntity>();
int counter = 1;
for (AuthenticationProviderModel model : authenticationProviders) {
AuthenticationProviderEntity entity = new AuthenticationProviderEntity();
entity.setProviderName(model.getProviderName());
entity.setPasswordUpdateSupported(model.isPasswordUpdateSupported());
entity.setConfig(model.getConfig());
entity.setPriority(counter++);
newEntities.add(entity);
}

View file

@ -6,16 +6,13 @@ import javax.persistence.Id;
import javax.persistence.ManyToOne;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.OneToOne;
import org.hibernate.annotations.GenericGenerator;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
@NamedQueries({
@NamedQuery(name="findAuthLinkByUser", query="select link from AuthenticationLinkEntity link where link.user = :user"),
@NamedQuery(name="findUserByAuthLinkAndRealm", query="select link.user from AuthenticationLinkEntity link where link.realm = :realm and link.authProvider = :authProvider and link.authUserId = :authUserId")
})
@Entity
public class AuthenticationLinkEntity {
@ -24,12 +21,6 @@ public class AuthenticationLinkEntity {
@GeneratedValue(generator = "keycloak_generator")
private String id;
@ManyToOne
private UserEntity user;
@ManyToOne
protected RealmEntity realm;
protected String authProvider;
protected String authUserId;
@ -41,22 +32,6 @@ public class AuthenticationLinkEntity {
this.id = id;
}
public UserEntity getUser() {
return user;
}
public void setUser(UserEntity user) {
this.user = user;
}
public RealmEntity getRealm() {
return realm;
}
public void setRealm(RealmEntity realm) {
this.realm = realm;
}
public String getAuthProvider() {
return authProvider;
}

View file

@ -25,6 +25,7 @@ public class AuthenticationProviderEntity {
private String providerName;
private boolean passwordUpdateSupported;
private int priority;
@ElementCollection
@MapKeyColumn(name="name")
@ -56,6 +57,14 @@ public class AuthenticationProviderEntity {
this.passwordUpdateSupported = passwordUpdateSupported;
}
public int getPriority() {
return priority;
}
public void setPriority(int priority) {
this.priority = priority;
}
public Map<String, String> getConfig() {
return config;
}

View file

@ -17,6 +17,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
@ -67,7 +68,7 @@ public class RealmEntity {
@OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true)
@JoinTable(name="AuthProviders")
Collection<AuthenticationProviderEntity> authenticationProviders = new ArrayList<AuthenticationProviderEntity>();
List<AuthenticationProviderEntity> authenticationProviders = new ArrayList<AuthenticationProviderEntity>();
@OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
Collection<ApplicationEntity> applications = new ArrayList<ApplicationEntity>();
@ -244,11 +245,11 @@ public class RealmEntity {
this.requiredCredentials = requiredCredentials;
}
public Collection<AuthenticationProviderEntity> getAuthenticationProviders() {
public List<AuthenticationProviderEntity> getAuthenticationProviders() {
return authenticationProviders;
}
public void setAuthenticationProviders(Collection<AuthenticationProviderEntity> authenticationProviders) {
public void setAuthenticationProviders(List<AuthenticationProviderEntity> authenticationProviders) {
this.authenticationProviders = authenticationProviders;
}

View file

@ -15,6 +15,8 @@ import javax.persistence.MapKeyColumn;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.OneToMany;
import javax.persistence.OneToOne;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
@ -64,6 +66,9 @@ public class UserEntity {
@OneToMany(cascade = CascadeType.REMOVE, orphanRemoval = true)
protected Collection<CredentialEntity> credentials = new ArrayList<CredentialEntity>();
@OneToOne(cascade = CascadeType.REMOVE, orphanRemoval = true)
protected AuthenticationLinkEntity authenticationLink;
public String getId() {
return id;
}
@ -160,6 +165,14 @@ public class UserEntity {
this.credentials = credentials;
}
public AuthenticationLinkEntity getAuthenticationLink() {
return authenticationLink;
}
public void setAuthenticationLink(AuthenticationLinkEntity authenticationLink) {
this.authenticationLink = authenticationLink;
}
public int getNotBefore() {
return notBefore;
}

View file

@ -927,41 +927,26 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
}
@Override
public UserModel getUserByAuthenticationLink(AuthenticationLinkModel authenticationLink) {
DBObject query = new QueryBuilder()
.and("authenticationLinks.authProvider").is(authenticationLink.getAuthProvider())
.and("authenticationLinks.authUserId").is(authenticationLink.getAuthUserId())
.and("realmId").is(getId())
.get();
UserEntity userEntity = getMongoStore().loadSingleEntity(UserEntity.class, query, invocationContext);
return userEntity==null ? null : new UserAdapter(userEntity, invocationContext);
}
@Override
public Set<AuthenticationLinkModel> getAuthenticationLinks(UserModel user) {
public AuthenticationLinkModel getAuthenticationLink(UserModel user) {
UserEntity userEntity = ((UserAdapter)user).getUser();
List<AuthenticationLinkEntity> linkEntities = userEntity.getAuthenticationLinks();
AuthenticationLinkEntity authLinkEntity = userEntity.getAuthenticationLink();
if (linkEntities == null) {
return Collections.EMPTY_SET;
if (authLinkEntity == null) {
return null;
} else {
return new AuthenticationLinkModel(authLinkEntity.getAuthProvider(), authLinkEntity.getAuthUserId());
}
Set<AuthenticationLinkModel> result = new HashSet<AuthenticationLinkModel>();
for (AuthenticationLinkEntity authLinkEntity : linkEntities) {
AuthenticationLinkModel model = new AuthenticationLinkModel(authLinkEntity.getAuthProvider(), authLinkEntity.getAuthUserId());
result.add(model);
}
return result;
}
@Override
public void addAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink) {
public void setAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink) {
UserEntity userEntity = ((UserAdapter)user).getUser();
AuthenticationLinkEntity authLinkEntity = new AuthenticationLinkEntity();
authLinkEntity.setAuthProvider(authenticationLink.getAuthProvider());
authLinkEntity.setAuthUserId(authenticationLink.getAuthUserId());
userEntity.setAuthenticationLink(authLinkEntity);
getMongoStore().pushItemToList(userEntity, "authenticationLinks", authLinkEntity, true, invocationContext);
getMongoStore().updateEntity(userEntity, invocationContext);
}
protected void updateRealm() {

View file

@ -33,7 +33,7 @@ public class UserEntity extends AbstractMongoIdentifiableEntity implements Mongo
private List<UserModel.RequiredAction> requiredActions;
private List<CredentialEntity> credentials = new ArrayList<CredentialEntity>();
private List<SocialLinkEntity> socialLinks;
private List<AuthenticationLinkEntity> authenticationLinks;
private AuthenticationLinkEntity authenticationLink;
@MongoField
public String getLoginName() {
@ -163,11 +163,11 @@ public class UserEntity extends AbstractMongoIdentifiableEntity implements Mongo
}
@MongoField
public List<AuthenticationLinkEntity> getAuthenticationLinks() {
return authenticationLinks;
public AuthenticationLinkEntity getAuthenticationLink() {
return authenticationLink;
}
public void setAuthenticationLinks(List<AuthenticationLinkEntity> authenticationLinks) {
this.authenticationLinks = authenticationLinks;
public void setAuthenticationLink(AuthenticationLinkEntity authenticationLink) {
this.authenticationLink = authenticationLink;
}
}

View file

@ -49,6 +49,8 @@ public class AuthProvidersExternalModelTest extends AbstractModelTest {
realm2 = realmManager.createRealm("realm2");
realm1.addRequiredCredential(CredentialRepresentation.PASSWORD);
realm2.addRequiredCredential(CredentialRepresentation.PASSWORD);
realm1.setAuthenticationProviders(Arrays.asList(AuthenticationProviderModel.DEFAULT_PROVIDER));
realm2.setAuthenticationProviders(Arrays.asList(AuthenticationProviderModel.DEFAULT_PROVIDER));
UserModel john = realm1.addUser("john");
john.setEnabled(true);
@ -93,10 +95,10 @@ public class AuthProvidersExternalModelTest extends AbstractModelTest {
Assert.assertEquals("john@email.org", john2.getEmail());
// Verify link exists
Set<AuthenticationLinkModel> authLinks = realm2.getAuthenticationLinks(john2);
Assert.assertEquals(1, authLinks.size());
AuthenticationLinkModel authLink = authLinks.iterator().next();
AuthenticationLinkModel authLink = realm2.getAuthenticationLink(john2);
Assert.assertNotNull(authLink);
Assert.assertEquals(authLink.getAuthProvider(), AuthProviderConstants.PROVIDER_NAME_EXTERNAL_MODEL);
Assert.assertEquals(authLink.getAuthUserId(), realm1.getUser("john").getId());
} finally {
ResteasyProviderFactory.clearContextData();
}
@ -108,14 +110,19 @@ public class AuthProvidersExternalModelTest extends AbstractModelTest {
// Add externalModel authenticationProvider into realm2 and point to realm1
setupAuthenticationProviders();
// Add john to realm2 and set authentication link
UserModel john = realm2.addUser("john");
john.setEnabled(true);
realm2.setAuthenticationLink(john, new AuthenticationLinkModel(AuthProviderConstants.PROVIDER_NAME_EXTERNAL_MODEL, realm1.getUser("john").getId()));
try {
// this is needed for externalModel provider
ResteasyProviderFactory.pushContext(KeycloakSession.class, identitySession);
// Change credential via realm2 and validate that they are changed in both realms
// Change credential via realm2 and validate that they are changed also in realm1
AuthenticationProviderManager authProviderManager = AuthenticationProviderManager.getManager(realm2);
try {
authProviderManager.updatePassword("john", "password-updated");
Assert.assertTrue(authProviderManager.updatePassword(john, "password-updated"));
} catch (AuthenticationProviderException ape) {
ape.printStackTrace();
Assert.fail("Error not expected");
@ -130,14 +137,14 @@ public class AuthProvidersExternalModelTest extends AbstractModelTest {
// Change credential and validate that password is updated just for realm2
try {
authProviderManager.updatePassword("john", "password-updated2");
Assert.assertFalse(authProviderManager.updatePassword(john, "password-updated2"));
} catch (AuthenticationProviderException ape) {
ape.printStackTrace();
Assert.fail("Error not expected");
}
formData = createFormData("john", "password-updated2");
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_CREDENTIALS, am.authenticateForm(realm1, formData));
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.SUCCESS, am.authenticateForm(realm2, formData));
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_CREDENTIALS, am.authenticateForm(realm2, formData));
// Allow passwordUpdate propagation again
@ -146,7 +153,7 @@ public class AuthProvidersExternalModelTest extends AbstractModelTest {
// Set passwordPolicy for realm1 and verify that password update fail
realm1.setPasswordPolicy(new PasswordPolicy("length(8)"));
try {
authProviderManager.updatePassword("john", "passw");
authProviderManager.updatePassword(john, "passw");
Assert.fail("Update not expected to pass");
} catch (AuthenticationProviderException ape) {

View file

@ -95,9 +95,8 @@ public class AuthProvidersLDAPTest extends AbstractModelTest {
Assert.assertEquals("john@email.org", john.getEmail());
// Verify link exists
Set<AuthenticationLinkModel> authLinks = realm.getAuthenticationLinks(john);
Assert.assertEquals(1, authLinks.size());
AuthenticationLinkModel authLink = authLinks.iterator().next();
AuthenticationLinkModel authLink = realm.getAuthenticationLink(john);
Assert.assertNotNull(authLink);
Assert.assertEquals(authLink.getAuthProvider(), AuthProviderConstants.PROVIDER_NAME_PICKETLINK);
} finally {
ResteasyProviderFactory.clearContextData();
@ -114,6 +113,7 @@ public class AuthProvidersLDAPTest extends AbstractModelTest {
// Add some user and password to realm
UserModel realmUser = realm.addUser("realmUser");
realmUser.setEnabled(true);
UserCredentialModel credential = new UserCredentialModel();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue("pass");
@ -135,6 +135,11 @@ public class AuthProvidersLDAPTest extends AbstractModelTest {
realmUser.setEnabled(false);
formData = AuthProvidersExternalModelTest.createFormData("realmUser", "pass");
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.ACCOUNT_DISABLED, am.authenticateForm(realm, formData));
// Successful authentication
realmUser.setEnabled(true);
formData = AuthProvidersExternalModelTest.createFormData("realmUser", "pass");
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.SUCCESS, am.authenticateForm(realm, formData));
} finally {
ResteasyProviderFactory.clearContextData();
}
@ -149,26 +154,34 @@ public class AuthProvidersLDAPTest extends AbstractModelTest {
// this is needed for ldap provider
ResteasyProviderFactory.pushContext(KeycloakRegistry.class, new KeycloakRegistry());
LdapTestUtils.setLdapPassword(realm, "john", "password");
// First authenticate successfully to sync john into realm
MultivaluedMap<String, String> formData = AuthProvidersExternalModelTest.createFormData("john", "password");
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.SUCCESS, am.authenticateForm(realm, formData));
// Change credential and validate that user can authenticate
AuthenticationProviderManager authProviderManager = AuthenticationProviderManager.getManager(realm);
UserModel john = realm.getUser("john");
try {
authProviderManager.updatePassword("john", "password-updated");
Assert.assertTrue(authProviderManager.updatePassword(john, "password-updated"));
} catch (AuthenticationProviderException ape) {
ape.printStackTrace();
Assert.fail("Error not expected");
}
MultivaluedMap<String, String> formData = AuthProvidersExternalModelTest.createFormData("john", "password-updated");
formData = AuthProvidersExternalModelTest.createFormData("john", "password-updated");
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.SUCCESS, am.authenticateForm(realm, formData));
// Password updated just in LDAP, so validating directly in realm should fail
Assert.assertFalse(realm.validatePassword(realm.getUser("john"), "password-updated"));
Assert.assertFalse(realm.validatePassword(john, "password-updated"));
// Switch to not allow updating passwords in ldap
AuthProvidersExternalModelTest.setPasswordUpdateForProvider(false, AuthProviderConstants.PROVIDER_NAME_PICKETLINK, realm);
// Change credential and validate that password is not updated
try {
authProviderManager.updatePassword("john", "password-updated2");
Assert.assertFalse(authProviderManager.updatePassword(john, "password-updated2"));
} catch (AuthenticationProviderException ape) {
ape.printStackTrace();
Assert.fail("Error not expected");

View file

@ -3,6 +3,7 @@ package org.keycloak.model.test;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
@ -14,6 +15,8 @@ import org.keycloak.services.managers.AuthenticationManager.AuthenticationStatus
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.MultivaluedMap;
import java.util.Arrays;
import java.util.UUID;
public class AuthenticationManagerTest extends AbstractModelTest {
@ -138,6 +141,7 @@ public class AuthenticationManagerTest extends AbstractModelTest {
realm.setPublicKeyPem("0234234");
realm.setAccessTokenLifespan(1000);
realm.addRequiredCredential(CredentialRepresentation.PASSWORD);
realm.setAuthenticationProviders(Arrays.asList(AuthenticationProviderModel.DEFAULT_PROVIDER));
am = new AuthenticationManager();

View file

@ -208,24 +208,9 @@ public class ImportTest extends AbstractModelTest {
Assert.assertTrue(authProv3.isPasswordUpdateSupported());
// Test authentication linking
Set<AuthenticationLinkModel> authLinks = realm.getAuthenticationLinks(socialUser);
Assert.assertEquals(2, authLinks.size());
boolean plFound = false;
boolean extFound = false;
for (AuthenticationLinkModel authLinkModel : authLinks) {
if (AuthProviderConstants.PROVIDER_NAME_PICKETLINK.equals(authLinkModel.getAuthProvider())) {
plFound = true;
Assert.assertEquals(authLinkModel.getAuthUserId(), "myUser1");
} else if (AuthProviderConstants.PROVIDER_NAME_EXTERNAL_MODEL.equals(authLinkModel.getAuthProvider())) {
extFound = true;
Assert.assertEquals(authLinkModel.getAuthUserId(), "myUser11");
}
}
Assert.assertTrue(plFound && extFound);
UserModel foundAuthUser = realm.getUserByAuthenticationLink(new AuthenticationLinkModel(AuthProviderConstants.PROVIDER_NAME_PICKETLINK, "myUser1"));
Assert.assertEquals(foundAuthUser.getLoginName(), socialUser.getLoginName());
Assert.assertNull(realm.getUserByAuthenticationLink(new AuthenticationLinkModel(AuthProviderConstants.PROVIDER_NAME_PICKETLINK, "not-existing")));
AuthenticationLinkModel authLink = realm.getAuthenticationLink(socialUser);
Assert.assertEquals(AuthProviderConstants.PROVIDER_NAME_PICKETLINK, authLink.getAuthProvider());
Assert.assertEquals("myUser1", authLink.getAuthUserId());
commit();

View file

@ -75,7 +75,11 @@
},
{
"username": "mySocialUser",
"enabled": true
"enabled": true,
"authenticationLink": {
"authProvider": "picketlink",
"authUserId": "myUser1"
}
}
],
"socialMappings": [
@ -100,21 +104,6 @@
]
}
],
"authenticationMappings": [
{
"username": "mySocialUser",
"authenticationLinks": [
{
"authProvider": "picketlink",
"authUserId": "myUser1"
},
{
"authProvider": "externalModel",
"authUserId": "myUser11"
}
]
}
],
"applications": [
{
"name": "Application",

View file

@ -1,8 +1,11 @@
package org.keycloak.services.managers;
import java.util.Arrays;
import org.jboss.resteasy.logging.Logger;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.Config;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
@ -58,6 +61,7 @@ public class ApplianceBootstrap {
realm.setSslNotRequired(true);
realm.setRegistrationAllowed(false);
manager.generateRealmKeys(realm);
realm.setAuthenticationProviders(Arrays.asList(AuthenticationProviderModel.DEFAULT_PROVIDER));
ApplicationModel adminConsole = new ApplicationManager(manager).createApplication(realm, Constants.ADMIN_CONSOLE_APPLICATION);
adminConsole.setBaseUrl("/auth/admin/index.html");

View file

@ -16,8 +16,7 @@ import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.spi.authentication.AuthProviderStatus;
import org.keycloak.spi.authentication.AuthResult;
import org.keycloak.spi.authentication.AuthenticatedUser;
import org.keycloak.spi.authentication.AuthUser;
import org.keycloak.spi.authentication.AuthenticationProviderManager;
import org.keycloak.util.Time;
@ -188,6 +187,25 @@ public class AuthenticationManager {
}
UserModel user = KeycloakModelUtils.findUserByNameOrEmail(realm, username);
if (user == null) {
AuthUser authUser = AuthenticationProviderManager.getManager(realm).getUser(username);
if (authUser != null) {
// Create new user and link him with authentication provider
user = realm.addUser(authUser.getUsername());
user.setEnabled(true);
user.setFirstName(authUser.getFirstName());
user.setLastName(authUser.getLastName());
user.setEmail(authUser.getEmail());
realm.setAuthenticationLink(user, new AuthenticationLinkModel(authUser.getProviderName(), authUser.getId()));
} else {
logger.warn("User " + username + " not found");
return AuthenticationStatus.INVALID_USER;
}
}
if (!checkEnabled(user)) {
return AuthenticationStatus.ACCOUNT_DISABLED;
}
Set<String> types = new HashSet<String>();
@ -202,20 +220,13 @@ public class AuthenticationManager {
return AuthenticationStatus.MISSING_PASSWORD;
}
if (user == null && types.contains(CredentialRepresentation.TOTP)) {
logger.warn("User doesn't exists and TOTP is required for the realm");
return AuthenticationStatus.INVALID_USER;
}
if (user != null && user.isTotp()) {
if (user.isTotp()) {
String token = formData.getFirst(CredentialRepresentation.TOTP);
if (token == null) {
logger.warn("TOTP token not provided");
return AuthenticationStatus.MISSING_TOTP;
}
if (!checkEnabled(user)) {
return AuthenticationStatus.ACCOUNT_DISABLED;
}
logger.debug("validating TOTP");
if (!realm.validateTOTP(user, password, token)) {
return AuthenticationStatus.INVALID_CREDENTIALS;
@ -223,58 +234,12 @@ public class AuthenticationManager {
} else {
logger.debug("validating password for user: " + username);
AuthResult authResult = AuthenticationProviderManager.getManager(realm).validatePassword(username, password);
if (authResult.getAuthProviderStatus() == AuthProviderStatus.INVALID_CREDENTIALS) {
AuthProviderStatus authStatus = AuthenticationProviderManager.getManager(realm).validatePassword(user, password);
if (authStatus == AuthProviderStatus.INVALID_CREDENTIALS) {
logger.debug("invalid password for user: " + username);
return AuthenticationStatus.INVALID_CREDENTIALS;
} else if (authResult.getAuthProviderStatus() == AuthProviderStatus.USER_NOT_FOUND) {
logger.debug("User " + username + " not found in any Authentication provider");
return AuthenticationStatus.INVALID_USER;
}
if (authResult.getAuthenticatedUser() != null) {
AuthenticatedUser authUser = authResult.getAuthenticatedUser();
AuthenticationLinkModel authLink = new AuthenticationLinkModel(authResult.getProviderName(), authUser.getId());
user = realm.getUserByAuthenticationLink(authLink);
if (user == null) {
user = KeycloakModelUtils.findUserByNameOrEmail(realm, username);
if (user != null) {
// Case when we already have user with the same username like authenticated, but he is not yet linked to current provider.
// TODO: Revisit if it's ok to link if we allow to change username. Maybe ask user?
// TODO: Update of existing account?
realm.addAuthenticationLink(user, authLink);
logger.info("User " + authUser.getUsername() + " successfully authenticated and linked with provider " + authResult.getProviderName());
} else {
// Create new user, which has been successfully authenticated and link him with authentication provider
user = realm.addUser(authUser.getUsername());
user.setEnabled(true);
user.setFirstName(authUser.getFirstName());
user.setLastName(authUser.getLastName());
user.setEmail(authUser.getEmail());
realm.addAuthenticationLink(user, authLink);
logger.info("User " + username + " successfully authenticated and created based on provider " + authResult.getProviderName());
}
} else {
// Existing and linked user has been authenticated TODO: Update of existing account?
}
// Authenticated username could be different from the "form" username. In this case, we will change it
if (!username.equals(user.getLoginName())) {
formData.putSingle(FORM_USERNAME, user.getLoginName());
logger.debug("Existing user " + user.getLoginName() + " successfully authenticated");
}
} else {
// Authentication provider didn't send AuthenticatedUser. Using already retrieved user based on username from "form"
if (user == null) {
logger.warn("User '" + username + "' successfully authenticated, but he doesn't exists and don't know how to create him");
return AuthenticationStatus.INVALID_USER;
}
}
if (!checkEnabled(user)) {
return AuthenticationStatus.ACCOUNT_DISABLED;
} else if (authStatus == AuthProviderStatus.FAILED) {
return AuthenticationStatus.FAILED;
}
}

View file

@ -21,7 +21,6 @@ import org.keycloak.models.UserModel.RequiredAction;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.ApplicationRepresentation;
import org.keycloak.representations.idm.AuthenticationLinkRepresentation;
import org.keycloak.representations.idm.AuthenticationMappingRepresentation;
import org.keycloak.representations.idm.AuthenticationProviderRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.OAuthClientRepresentation;
@ -37,6 +36,7 @@ import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@ -387,15 +387,6 @@ public class RealmManager {
}
}
}
if (rep.getAuthenticationMappings() != null) {
for (AuthenticationMappingRepresentation authMapping : rep.getAuthenticationMappings()) {
UserModel user = userMap.get(authMapping.getUsername());
for (AuthenticationLinkRepresentation link : authMapping.getAuthenticationLinks()) {
AuthenticationLinkModel mappingModel = new AuthenticationLinkModel(link.getAuthProvider(), link.getAuthUserId());
newRealm.addAuthenticationLink(user, mappingModel);
}
}
}
if (rep.getSmtpServer() != null) {
newRealm.setSmtpConfig(new HashMap(rep.getSmtpServer()));
@ -411,6 +402,9 @@ public class RealmManager {
if (rep.getAuthenticationProviders() != null) {
List<AuthenticationProviderModel> authProviderModels = convertAuthenticationProviders(rep.getAuthenticationProviders());
newRealm.setAuthenticationProviders(authProviderModels);
} else {
List<AuthenticationProviderModel> authProviderModels = Arrays.asList(AuthenticationProviderModel.DEFAULT_PROVIDER);
newRealm.setAuthenticationProviders(authProviderModels);
}
}
@ -474,6 +468,11 @@ public class RealmManager {
newRealm.updateCredential(user, credential);
}
}
if (userRep.getAuthenticationLink() != null) {
AuthenticationLinkRepresentation link = userRep.getAuthenticationLink();
AuthenticationLinkModel authLink = new AuthenticationLinkModel(link.getAuthProvider(), link.getAuthUserId());
newRealm.setAuthenticationLink(user, authLink);
}
return user;
}

View file

@ -264,13 +264,15 @@ public class AccountService {
AuthenticationProviderManager authProviderManager = AuthenticationProviderManager.getManager(realm);
if (Validation.isEmpty(password)) {
return account.setError(Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
// TODO: This may not work in some cases. For example if ldap username is "foo" but actual loginName of user is "bar", which could theoretically happen...
} else if (authProviderManager.validatePassword(user.getLoginName(), password).getAuthProviderStatus() != AuthProviderStatus.SUCCESS) {
} else if (authProviderManager.validatePassword(user, password) != AuthProviderStatus.SUCCESS) {
return account.setError(Messages.INVALID_PASSWORD_EXISTING).createResponse(AccountPages.PASSWORD);
}
try {
authProviderManager.updatePassword(user.getLoginName(), passwordNew);
boolean passwordUpdateSuccess = authProviderManager.updatePassword(user, passwordNew);
if (!passwordUpdateSuccess) {
return account.setError("Password update failed").createResponse(AccountPages.PASSWORD);
}
} catch (AuthenticationProviderException ape) {
return account.setError(ape.getMessage()).createResponse(AccountPages.PASSWORD);
}

View file

@ -200,7 +200,10 @@ public class RequiredActionsService {
}
try {
AuthenticationProviderManager.getManager(realm).updatePassword(user.getLoginName(), passwordNew);
boolean updateSuccessful = AuthenticationProviderManager.getManager(realm).updatePassword(user, passwordNew);
if (!updateSuccessful) {
return loginForms.setError("Password update failed").createResponse(RequiredAction.UPDATE_PASSWORD);
}
} catch (AuthenticationProviderException ape) {
return loginForms.setError(ape.getMessage()).createResponse(RequiredAction.UPDATE_PASSWORD);
}

View file

@ -397,12 +397,21 @@ public class TokenService {
UserCredentialModel credentials = new UserCredentialModel();
credentials.setType(CredentialRepresentation.PASSWORD);
credentials.setValue(formData.getFirst("password"));
boolean passwordUpdateSuccessful;
String passwordUpdateError = null;
try {
AuthenticationProviderManager.getManager(realm).updatePassword(username, formData.getFirst("password"));
passwordUpdateSuccessful = AuthenticationProviderManager.getManager(realm).updatePassword(user, formData.getFirst("password"));
passwordUpdateError = "Password update failed";
} catch (AuthenticationProviderException ape) {
passwordUpdateSuccessful = false;
passwordUpdateError = ape.getMessage();
}
// User already registered, but force him to update password
if (!passwordUpdateSuccessful) {
user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
return Flows.forms(realm, request, uriInfo).setError(ape.getMessage()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
return Flows.forms(realm, request, uriInfo).setError(passwordUpdateError).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
}
}

View file

@ -9,8 +9,7 @@ import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.spi.authentication.AuthProviderStatus;
import org.keycloak.spi.authentication.AuthResult;
import org.keycloak.spi.authentication.AuthenticatedUser;
import org.keycloak.spi.authentication.AuthUser;
import org.keycloak.spi.authentication.AuthenticationProvider;
import org.keycloak.spi.authentication.AuthenticationProviderException;
@ -24,22 +23,19 @@ public abstract class AbstractModelAuthenticationProvider implements Authenticat
private static final Logger logger = Logger.getLogger(AbstractModelAuthenticationProvider.class);
@Override
public AuthResult validatePassword(RealmModel currentRealm, Map<String, String> config, String username, String password) throws AuthenticationProviderException {
public AuthUser getUser(RealmModel currentRealm, Map<String, String> config, String username) throws AuthenticationProviderException {
RealmModel realm = getRealm(currentRealm, config);
UserModel user = KeycloakModelUtils.findUserByNameOrEmail(realm, username);
return user == null ? null : createAuthenticatedUserInstance(user);
}
@Override
public AuthProviderStatus validatePassword(RealmModel currentRealm, Map<String, String> config, String username, String password) throws AuthenticationProviderException {
RealmModel realm = getRealm(currentRealm, config);
UserModel user = KeycloakModelUtils.findUserByNameOrEmail(realm, username);
if (user == null) {
return new AuthResult(AuthProviderStatus.USER_NOT_FOUND);
}
boolean result = realm.validatePassword(user, password);
if (!result) {
return new AuthResult(AuthProviderStatus.INVALID_CREDENTIALS);
}
AuthenticatedUser authUser = createAuthenticatedUserInstance(user);
return new AuthResult(AuthProviderStatus.SUCCESS).setProviderName(getName()).setUser(authUser);
return result ? AuthProviderStatus.SUCCESS : AuthProviderStatus.INVALID_CREDENTIALS;
}
@Override
@ -54,7 +50,7 @@ public abstract class AbstractModelAuthenticationProvider implements Authenticat
UserModel user = realm.getUser(username);
if (user == null) {
logger.debugf("User '%s' doesn't exists. Skip password update", username);
logger.warnf("User '%s' doesn't exists. Skip password update", username);
return false;
}
@ -68,5 +64,9 @@ public abstract class AbstractModelAuthenticationProvider implements Authenticat
protected abstract RealmModel getRealm(RealmModel currentRealm, Map<String, String> config) throws AuthenticationProviderException;
protected abstract AuthenticatedUser createAuthenticatedUserInstance(UserModel user);
protected AuthUser createAuthenticatedUserInstance(UserModel user) {
return new AuthUser(user.getId(), user.getLoginName(), getName())
.setName(user.getFirstName(), user.getLastName())
.setEmail(user.getEmail());
}
}

View file

@ -7,7 +7,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.spi.authentication.AuthProviderConstants;
import org.keycloak.spi.authentication.AuthenticatedUser;
import org.keycloak.spi.authentication.AuthUser;
import org.keycloak.spi.authentication.AuthenticationProviderException;
/**
@ -40,11 +40,4 @@ public class ExternalModelAuthenticationProvider extends AbstractModelAuthentica
}
return realm;
}
@Override
protected AuthenticatedUser createAuthenticatedUserInstance(UserModel user) {
return new AuthenticatedUser(user.getId(), user.getLoginName())
.setName(user.getFirstName(), user.getLastName())
.setEmail(user.getEmail());
}
}

View file

@ -5,7 +5,7 @@ import java.util.Map;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.spi.authentication.AuthProviderConstants;
import org.keycloak.spi.authentication.AuthenticatedUser;
import org.keycloak.spi.authentication.AuthUser;
/**
* AbstractModelAuthenticationProvider, which uses current realm to call operations on
@ -23,10 +23,4 @@ public class ModelAuthenticationProvider extends AbstractModelAuthenticationProv
protected RealmModel getRealm(RealmModel currentRealm, Map<String, String> config) {
return currentRealm;
}
@Override
protected AuthenticatedUser createAuthenticatedUserInstance(UserModel user) {
// We don't want AuthenticatedUser instance. Auto-registration won't never happen with this provider
return null;
}
}

View file

@ -6,9 +6,8 @@ import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.spi.authentication.AuthProviderStatus;
import org.keycloak.spi.authentication.AuthResult;
import org.keycloak.spi.authentication.AuthProviderConstants;
import org.keycloak.spi.authentication.AuthenticatedUser;
import org.keycloak.spi.authentication.AuthUser;
import org.keycloak.spi.authentication.AuthenticationProvider;
import org.keycloak.spi.authentication.AuthenticationProviderException;
import org.keycloak.spi.picketlink.PartitionManagerProvider;
@ -36,28 +35,27 @@ public class PicketlinkAuthenticationProvider implements AuthenticationProvider
}
@Override
public AuthResult validatePassword(RealmModel realm, Map<String, String> configuration, String username, String password) throws AuthenticationProviderException {
public AuthUser getUser(RealmModel realm, Map<String, String> configuration, String username) throws AuthenticationProviderException {
IdentityManager identityManager = getIdentityManager(realm);
User picketlinkUser = BasicModel.getUser(identityManager, username);
if (picketlinkUser == null) {
return new AuthResult(AuthProviderStatus.USER_NOT_FOUND);
return picketlinkUser == null ? null : new AuthUser(picketlinkUser.getId(), picketlinkUser.getLoginName(), getName())
.setName(picketlinkUser.getFirstName(), picketlinkUser.getLastName())
.setEmail(picketlinkUser.getEmail())
.setProviderName(getName());
}
@Override
public AuthProviderStatus validatePassword(RealmModel realm, Map<String, String> configuration, String username, String password) throws AuthenticationProviderException {
IdentityManager identityManager = getIdentityManager(realm);
UsernamePasswordCredentials credential = new UsernamePasswordCredentials();
credential.setUsername(username);
credential.setPassword(new Password(password.toCharArray()));
identityManager.validateCredentials(credential);
if (credential.getStatus() == Credentials.Status.VALID) {
AuthResult result = new AuthResult(AuthProviderStatus.SUCCESS);
AuthenticatedUser authenticatedUser = new AuthenticatedUser(picketlinkUser.getId(), picketlinkUser.getLoginName())
.setName(picketlinkUser.getFirstName(), picketlinkUser.getLastName())
.setEmail(picketlinkUser.getEmail());
result.setUser(authenticatedUser).setProviderName(getName());
return result;
return AuthProviderStatus.SUCCESS;
} else {
return new AuthResult(AuthProviderStatus.INVALID_CREDENTIALS);
return AuthProviderStatus.INVALID_CREDENTIALS;
}
}

View file

@ -5,12 +5,11 @@ package org.keycloak.spi.authentication;
*/
public class AuthProviderConstants {
// Model is default provider. See AuthenticationProviderModel.DEFAULT_PROVIDER
public static final String PROVIDER_NAME_MODEL = "model";
public static final String PROVIDER_NAME_EXTERNAL_MODEL = "externalModel";
public static final String PROVIDER_NAME_PICKETLINK = "picketlink";
public static final String DEFAULT_PROVIDER = PROVIDER_NAME_MODEL;
// Used in external-model provider
public static final String EXTERNAL_REALM_ID = "externalRealmId";
}

View file

@ -7,6 +7,6 @@ package org.keycloak.spi.authentication;
*/
public enum AuthProviderStatus {
SUCCESS, INVALID_CREDENTIALS, USER_NOT_FOUND
SUCCESS, INVALID_CREDENTIALS, FAILED
}

View file

@ -1,44 +0,0 @@
package org.keycloak.spi.authentication;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class AuthResult {
// Status of authentication
private final AuthProviderStatus authProviderStatus;
// Provider, which authenticated user
private String providerName;
// filled usually only in case of successful authentication and just with some Authentication providers
private AuthenticatedUser authenticatedUser;
public AuthResult(AuthProviderStatus authProviderStatus) {
this.authProviderStatus = authProviderStatus;
}
public AuthResult setProviderName(String providerName) {
this.providerName = providerName;
return this;
}
public AuthResult setUser(AuthenticatedUser user) {
this.authenticatedUser = user;
return this;
}
public AuthProviderStatus getAuthProviderStatus() {
return authProviderStatus;
}
public String getProviderName() {
return providerName;
}
public AuthenticatedUser getAuthenticatedUser() {
return authenticatedUser;
}
}

View file

@ -3,7 +3,7 @@ package org.keycloak.spi.authentication;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class AuthenticatedUser {
public class AuthUser {
private String id;
private String username;
@ -11,16 +11,19 @@ public class AuthenticatedUser {
private String lastName;
private String email;
public AuthenticatedUser(String id, String username) {
private String providerName;
public AuthUser(String id, String username, String providerName) {
this.id = id;
this.username = username;
this.providerName = providerName;
}
public String getId() {
return id;
}
public AuthenticatedUser setId(String id) {
public AuthUser setId(String id) {
this.id = id;
return this;
}
@ -29,7 +32,7 @@ public class AuthenticatedUser {
return username;
}
public AuthenticatedUser setUsername(String username) {
public AuthUser setUsername(String username) {
this.username = username;
return this;
}
@ -38,7 +41,7 @@ public class AuthenticatedUser {
return firstName;
}
public AuthenticatedUser setName(String name) {
public AuthUser setName(String name) {
int i = name.lastIndexOf(' ');
if (i != -1) {
firstName = name.substring(0, i);
@ -50,7 +53,7 @@ public class AuthenticatedUser {
return this;
}
public AuthenticatedUser setName(String firstName, String lastName) {
public AuthUser setName(String firstName, String lastName) {
this.firstName = firstName;
this.lastName = lastName;
return this;
@ -64,8 +67,17 @@ public class AuthenticatedUser {
return email;
}
public AuthenticatedUser setEmail(String email) {
public AuthUser setEmail(String email) {
this.email = email;
return this;
}
public String getProviderName() {
return providerName;
}
public AuthUser setProviderName(String providerName) {
this.providerName = providerName;
return this;
}
}

View file

@ -11,6 +11,17 @@ public interface AuthenticationProvider {
String getName();
/**
* Get user by given username or email. Return user instance or null if user doesn't exists in this authentication provider
*
* @param realm
* @param configuration
* @param username or email
* @return found user or null if user with given username doesn't exists
* @throws AuthenticationProviderException
*/
AuthUser getUser(RealmModel realm, Map<String, String> configuration, String username) throws AuthenticationProviderException;
/**
* Standard Authentication flow
*
@ -18,7 +29,7 @@ public interface AuthenticationProvider {
* @param password
* @return result of authentication, which might eventually encapsulate info about authenticated user and provider which successfully authenticated
*/
AuthResult validatePassword(RealmModel realm, Map<String, String> configuration, String username, String password) throws AuthenticationProviderException;
AuthProviderStatus validatePassword(RealmModel realm, Map<String, String> configuration, String username, String password) throws AuthenticationProviderException;
/**

View file

@ -1,14 +1,15 @@
package org.keycloak.spi.authentication;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.jboss.logging.Logger;
import org.keycloak.models.AuthenticationLinkModel;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.util.ProviderLoader;
/**
@ -22,7 +23,6 @@ import org.keycloak.util.ProviderLoader;
public class AuthenticationProviderManager {
private static final Logger logger = Logger.getLogger(AuthenticationProviderManager.class);
private static final AuthenticationProviderModel DEFAULT_PROVIDER = new AuthenticationProviderModel(AuthProviderConstants.PROVIDER_NAME_MODEL, true, Collections.EMPTY_MAP);
private final RealmModel realm;
private final Map<String, AuthenticationProvider> delegates;
@ -47,56 +47,86 @@ public class AuthenticationProviderManager {
this.delegates = delegates;
}
public AuthResult validatePassword(String username, String password) {
List<AuthenticationProviderModel> configuredProviders = getConfiguredProviders(realm);
boolean userExists = false;
for (AuthenticationProviderModel authProviderConfig : configuredProviders) {
String providerName = authProviderConfig.getProviderName();
AuthenticationProvider delegate = getDelegate(providerName);
public AuthUser getUser(String username) {
List<AuthenticationProviderModel> authProviderModels = getConfiguredProviderModels(realm);
for (AuthenticationProviderModel providerModel : authProviderModels) {
AuthenticationProvider delegate = getProvider(providerModel.getProviderName());
if (delegate == null) {
continue;
}
try {
AuthResult currentResult = delegate.validatePassword(realm, authProviderConfig.getConfig(), username, password);
logger.debugf("Authentication provider '%s' finished with '%s' for authentication of '%s'", delegate.getName(), currentResult.getAuthProviderStatus().toString(), username);
if (currentResult.getAuthProviderStatus() == AuthProviderStatus.SUCCESS) {
return currentResult;
} else if (currentResult.getAuthProviderStatus() == AuthProviderStatus.INVALID_CREDENTIALS) {
userExists = true;
AuthUser authUser = delegate.getUser(realm, providerModel.getConfig(), username);
if (authUser != null) {
logger.debugf("User '%s' found with provider '%s'", username, providerModel.getProviderName());
return authUser;
}
} catch (AuthenticationProviderException ape) {
logger.warn(ape.getMessage(), ape);
}
}
AuthProviderStatus status = userExists ? AuthProviderStatus.INVALID_CREDENTIALS : AuthProviderStatus.USER_NOT_FOUND;
logger.debugf("Not able to authenticate '%s' with any authentication provider. Status: '%s'", username, status.toString());
return new AuthResult(status);
logger.debugf("User '%s' not found with any provider", username);
return null;
}
public void updatePassword(String username, String password) throws AuthenticationProviderException {
List<AuthenticationProviderModel> configuredProviders = getConfiguredProviders(realm);
public AuthProviderStatus validatePassword(UserModel user, String password) {
AuthenticationLinkModel authLink = realm.getAuthenticationLink(user);
if (authLink == null) {
authLink = new AuthenticationLinkModel(AuthenticationProviderModel.DEFAULT_PROVIDER.getProviderName(), user.getId());
}
for (AuthenticationProviderModel authProviderConfig : configuredProviders) {
String providerName = authLink.getAuthProvider();
// Update just those, which support password update
if (authProviderConfig.isPasswordUpdateSupported()) {
String providerName = authProviderConfig.getProviderName();
AuthenticationProvider delegate = getDelegate(providerName);
if (delegate == null) {
continue;
AuthenticationProviderModel providerModel = getConfiguredProviderModel(realm, providerName);
AuthenticationProvider delegate = getProvider(providerName);
if (delegate == null || providerModel == null) {
return AuthProviderStatus.FAILED;
}
try {
if (delegate.updateCredential(realm, authProviderConfig.getConfig(), username, password)) {
logger.debugf("Updated password in authentication provider '%s' for user '%s'", delegate.getName(), username);
checkCorrectAuthLink(delegate, providerModel, authLink, user.getLoginName());
AuthProviderStatus currentResult = delegate.validatePassword(realm, providerModel.getConfig(), user.getLoginName(), password);
logger.debugf("Authentication provider '%s' finished with '%s' for authentication of '%s'", delegate.getName(), currentResult.toString(), user.getLoginName());
return currentResult;
} catch (AuthenticationProviderException ape) {
logger.warn(ape.getMessage(), ape);
return AuthProviderStatus.FAILED;
}
}
public boolean updatePassword(UserModel user, String password) throws AuthenticationProviderException {
AuthenticationLinkModel authLink = realm.getAuthenticationLink(user);
if (authLink == null) {
authLink = new AuthenticationLinkModel(AuthenticationProviderModel.DEFAULT_PROVIDER.getProviderName(), user.getId());
}
String providerName = authLink.getAuthProvider();
AuthenticationProviderModel providerModel = getConfiguredProviderModel(realm, providerName);
if (providerModel == null) {
return false;
}
String username = user.getLoginName();
// Update just those, which support password update
if (providerModel.isPasswordUpdateSupported()) {
try {
AuthenticationProvider delegate = getProvider(providerName);
if (delegate == null) {
return false;
}
checkCorrectAuthLink(delegate, providerModel, authLink, username);
if (delegate.updateCredential(realm,providerModel.getConfig(), user.getLoginName(), password)) {
logger.debugf("Updated password in authentication provider '%s' for user '%s'", providerName, username);
return true;
} else {
logger.debugf("Password not updated in authentication provider '%s' for user '%s'", delegate.getName(), username);
logger.warnf("Password not updated in authentication provider '%s' for user '%s'", providerName, username);
return false;
}
} catch (AuthenticationProviderException ape) {
// Rethrow it to upper layer
@ -104,28 +134,51 @@ public class AuthenticationProviderManager {
throw ape;
}
} else {
logger.debugf("Skip password update for authentication provider '%s' for user '%s'", authProviderConfig.getProviderName(), username);
}
logger.warnf("Skip password update for authentication provider '%s' for user '%s'", providerName, username);
return false;
}
}
private AuthenticationProvider getDelegate(String providerName) {
private AuthenticationProvider getProvider(String providerName) {
AuthenticationProvider delegate = delegates.get(providerName);
if (delegate == null) {
logger.warnf("Configured provider with name '%s' not found", providerName);
logger.warnf("Provider '%s' not available on classpath", providerName);
}
return delegate;
}
private List<AuthenticationProviderModel> getConfiguredProviders(RealmModel realm) {
private List<AuthenticationProviderModel> getConfiguredProviderModels(RealmModel realm) {
List<AuthenticationProviderModel> configuredProviders = realm.getAuthenticationProviders();
// Use model based authentication of current realm by default
if (configuredProviders == null || configuredProviders.isEmpty()) {
configuredProviders = new ArrayList<AuthenticationProviderModel>();
configuredProviders.add(DEFAULT_PROVIDER);
configuredProviders = Collections.EMPTY_LIST;
logger.warnf("No authentication providers found");
}
return configuredProviders;
}
private AuthenticationProviderModel getConfiguredProviderModel(RealmModel realm, String providerName) {
List<AuthenticationProviderModel> providers = getConfiguredProviderModels(realm);
for (AuthenticationProviderModel provider : providers) {
if (providerName.equals(provider.getProviderName())) {
return provider;
}
}
logger.warnf("Provider '%s' not configured in realm", providerName);
return null;
}
// Check if ID of linked AuthUser is same as expected ID from authenticationLink . It should catch the case when for example user "john" was deleted in LDAP
// and then user "john" has been created again, but it's actually different user with different ID
private void checkCorrectAuthLink(AuthenticationProvider authProvider, AuthenticationProviderModel providerModel,
AuthenticationLinkModel authLinkModel, String username) throws AuthenticationProviderException {
AuthUser authUser = authProvider.getUser(realm, providerModel.getConfig(), username);
String userExternalId = authUser.getId();
if (!userExternalId.equals(authLinkModel.getAuthUserId())) {
throw new AuthenticationProviderException("ID did not match! ID from provider: " + userExternalId + ", ID from authentication link: " + authLinkModel.getAuthUserId());
}
}
}

View file

@ -27,6 +27,7 @@ import org.junit.Rule;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
@ -44,6 +45,7 @@ import org.keycloak.testsuite.rule.WebRule;
import org.openqa.selenium.WebDriver;
import java.security.PublicKey;
import java.util.Arrays;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -66,6 +68,7 @@ public class CompositeRoleTest {
realm.setSslNotRequired(true);
realm.setEnabled(true);
realm.addRequiredCredential(UserCredentialModel.PASSWORD);
realm.setAuthenticationProviders(Arrays.asList(AuthenticationProviderModel.DEFAULT_PROVIDER));
final RoleModel realmRole1 = realm.addRole("REALM_ROLE_1");
final RoleModel realmRole2 = realm.addRole("REALM_ROLE_2");
final RoleModel realmRole3 = realm.addRole("REALM_ROLE_3");

View file

@ -47,7 +47,7 @@ public class AuthProvidersIntegrationTest {
@Override
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
addUser(appRealm, "mary", "mary@test.com", "password-app");
addUser(adminstrationRealm, "mary", "mary@admin.com", "password-admin");
addUser(adminstrationRealm, "mary-admin", "mary@admin.com", "password-admin");
AuthenticationProviderModel modelProvider = new AuthenticationProviderModel(AuthProviderConstants.PROVIDER_NAME_MODEL, false, Collections.EMPTY_MAP);
AuthenticationProviderModel picketlinkProvider = new AuthenticationProviderModel(AuthProviderConstants.PROVIDER_NAME_PICKETLINK, true, Collections.EMPTY_MAP);
@ -116,7 +116,7 @@ public class AuthProvidersIntegrationTest {
@Test
public void loginExternalModel() {
loginPage.open();
loginPage.login("mary", "password-admin");
loginPage.login("mary-admin", "password-admin");
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
@ -148,18 +148,18 @@ public class AuthProvidersIntegrationTest {
try {
changePasswordPage.open();
loginPage.login("mary", "password-admin");
loginPage.login("mary-admin", "password-admin");
// Can't update to "pass" due to passwordPolicy
changePasswordPage.changePassword("password-admin", "pass", "pass");
Assert.assertEquals("Invalid password: minimum length 6", profilePage.getError());
changePasswordPage.changePassword("password-app", "password-updated", "password-updated");
changePasswordPage.changePassword("password-admin", "password-updated", "password-updated");
Assert.assertEquals("Your password has been updated", profilePage.getSuccess());
changePasswordPage.logout();
loginPage.open();
loginPage.login("mary", "password-updated");
loginPage.login("mary-admin", "password-updated");
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
} finally {