fix db2
This commit is contained in:
commit
8794416241
21 changed files with 417 additions and 69 deletions
|
@ -0,0 +1,17 @@
|
|||
package org.keycloak.federation.sssd.api;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:bruno@abstractj.org">Bruno Oliveira</a>
|
||||
*/
|
||||
public class SSSDException extends RuntimeException {
|
||||
public SSSDException() {
|
||||
}
|
||||
|
||||
public SSSDException(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
public SSSDException(String message, Throwable cause) {
|
||||
super(message, cause);
|
||||
}
|
||||
}
|
|
@ -94,19 +94,19 @@ public class Sssd {
|
|||
InfoPipe infoPipe = infopipe();
|
||||
attributes = infoPipe.getUserAttributes(username, Arrays.asList(attr));
|
||||
} catch (Exception e) {
|
||||
logger.error("Failed to retrieve user's attributes from SSSD", e);
|
||||
throw new SSSDException("Failed to retrieve user's attributes. Check if SSSD service is active.");
|
||||
}
|
||||
|
||||
return attributes;
|
||||
}
|
||||
|
||||
public List<String> getUserGroups() {
|
||||
List<String> userGroups = null;
|
||||
List<String> userGroups;
|
||||
try {
|
||||
InfoPipe infoPipe = Sssd.infopipe();
|
||||
userGroups = infoPipe.getUserGroups(username);
|
||||
} catch (Exception e) {
|
||||
logger.error("Failed to retrieve user's groups from SSSD", e);
|
||||
throw new SSSDException("Failed to retrieve user's groups from SSSD. Check if SSSD service is active.");
|
||||
}
|
||||
return userGroups;
|
||||
}
|
||||
|
|
|
@ -55,7 +55,6 @@ public class LiquibaseJpaUpdaterProvider implements JpaUpdaterProvider {
|
|||
private static final Logger logger = Logger.getLogger(LiquibaseJpaUpdaterProvider.class);
|
||||
|
||||
public static final String CHANGELOG = "META-INF/jpa-changelog-master.xml";
|
||||
public static final String DB2_CHANGELOG = "META-INF/db2-jpa-changelog-master.xml";
|
||||
|
||||
private final KeycloakSession session;
|
||||
|
||||
|
@ -99,7 +98,7 @@ public class LiquibaseJpaUpdaterProvider implements JpaUpdaterProvider {
|
|||
updateChangeSet(liquibase, liquibase.getChangeLogFile(), exportWriter);
|
||||
}
|
||||
}
|
||||
} catch (Exception e) {
|
||||
} catch (LiquibaseException | IOException e) {
|
||||
throw new RuntimeException("Failed to update database", e);
|
||||
} finally {
|
||||
ThreadLocalSessionContext.removeCurrentSession();
|
||||
|
|
|
@ -22,7 +22,6 @@ import liquibase.changelog.ChangeSet;
|
|||
import liquibase.changelog.DatabaseChangeLog;
|
||||
import liquibase.database.Database;
|
||||
import liquibase.database.DatabaseFactory;
|
||||
import liquibase.database.core.DB2Database;
|
||||
import liquibase.database.jvm.JdbcConnection;
|
||||
import liquibase.exception.LiquibaseException;
|
||||
import liquibase.logging.LogFactory;
|
||||
|
@ -129,7 +128,7 @@ public class DefaultLiquibaseConnectionProvider implements LiquibaseConnectionPr
|
|||
database.setDefaultSchemaName(defaultSchema);
|
||||
}
|
||||
|
||||
String changelog = (database instanceof DB2Database) ? LiquibaseJpaUpdaterProvider.DB2_CHANGELOG : LiquibaseJpaUpdaterProvider.CHANGELOG;
|
||||
String changelog = LiquibaseJpaUpdaterProvider.CHANGELOG;
|
||||
ResourceAccessor resourceAccessor = new ClassLoaderResourceAccessor(getClass().getClassLoader());
|
||||
|
||||
logger.debugf("Using changelog file %s and changelogTableName %s", changelog, database.getDatabaseChangeLogTableName());
|
||||
|
@ -154,7 +153,7 @@ public class DefaultLiquibaseConnectionProvider implements LiquibaseConnectionPr
|
|||
|
||||
private static class LogWrapper extends LogFactory {
|
||||
|
||||
private liquibase.logging.Logger logger = new liquibase.logging.Logger() {
|
||||
private static final liquibase.logging.Logger logger = new liquibase.logging.Logger() {
|
||||
@Override
|
||||
public void setName(String name) {
|
||||
}
|
||||
|
|
|
@ -1,41 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!--
|
||||
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
~ and other contributors as indicated by the @author tags.
|
||||
~
|
||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~ you may not use this file except in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing, software
|
||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~ See the License for the specific language governing permissions and
|
||||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.2.xsd">
|
||||
<include file="META-INF/db2-jpa-changelog-1.0.0.Final.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.1.0.Beta1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.1.0.Final.xml"/>
|
||||
<include file="META-INF/db2-jpa-changelog-1.2.0.Beta1.xml"/>
|
||||
<include file="META-INF/db2-jpa-changelog-1.2.0.CR1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.2.0.Final.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.3.0.xml"/>
|
||||
<include file="META-INF/db2-jpa-changelog-1.4.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.5.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.6.1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.7.0.xml"/>
|
||||
<include file="META-INF/db2-jpa-changelog-1.8.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.9.0.xml"/>
|
||||
<include file="META-INF/db2-jpa-changelog-1.9.1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.9.2.xml"/>
|
||||
|
||||
<include file="META-INF/jpa-changelog-authz-master.xml"/>
|
||||
<include file="META-INF/jpa-changelog-2.1.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-2.2.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-2.3.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-2.4.0.xml"/>
|
||||
</databaseChangeLog>
|
|
@ -16,8 +16,12 @@
|
|||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.2.xsd">
|
||||
<databaseChangeLog logicalFilePath="META-INF/db2-jpa-changelog-1.0.0.xml" xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.2.xsd">
|
||||
<changeSet author="sthorger@redhat.com" id="1.0.0.Final">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<dbms type="db2" />
|
||||
</preConditions>
|
||||
|
||||
<createTable tableName="APPLICATION_DEFAULT_ROLES">
|
||||
<column name="APPLICATION_ID" type="VARCHAR(36)">
|
||||
<constraints nullable="false"/>
|
|
@ -18,6 +18,12 @@
|
|||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.2.xsd">
|
||||
<changeSet author="sthorger@redhat.com" id="1.0.0.Final">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<not>
|
||||
<dbms type="db2" />
|
||||
</not>
|
||||
</preConditions>
|
||||
|
||||
<createTable tableName="APPLICATION_DEFAULT_ROLES">
|
||||
<column name="APPLICATION_ID" type="VARCHAR(36)">
|
||||
<constraints nullable="false"/>
|
||||
|
|
|
@ -16,8 +16,12 @@
|
|||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<databaseChangeLog logicalFilePath="META-INF/db2-jpa-changelog-1.2.0.Beta1.xml" xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="psilva@redhat.com" id="1.2.0.Beta1">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<dbms type="db2" />
|
||||
</preConditions>
|
||||
|
||||
<delete tableName="CLIENT_SESSION_ROLE" />
|
||||
<delete tableName="CLIENT_SESSION_NOTE" />
|
||||
<delete tableName="CLIENT_SESSION" />
|
|
@ -18,6 +18,12 @@
|
|||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="psilva@redhat.com" id="1.2.0.Beta1">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<not>
|
||||
<dbms type="db2" />
|
||||
</not>
|
||||
</preConditions>
|
||||
|
||||
<delete tableName="CLIENT_SESSION_ROLE"/>
|
||||
<delete tableName="CLIENT_SESSION_NOTE"/>
|
||||
<delete tableName="CLIENT_SESSION"/>
|
||||
|
|
|
@ -16,8 +16,12 @@
|
|||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<databaseChangeLog logicalFilePath="META-INF/db2-jpa-changelog-1.2.0.CR1.xml" xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="bburke@redhat.com" id="1.2.0.RC1">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<dbms type="db2" />
|
||||
</preConditions>
|
||||
|
||||
<delete tableName="CLIENT_SESSION_ROLE"/>
|
||||
<delete tableName="CLIENT_SESSION_NOTE"/>
|
||||
<delete tableName="CLIENT_SESSION"/>
|
|
@ -18,6 +18,12 @@
|
|||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="bburke@redhat.com" id="1.2.0.RC1">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<not>
|
||||
<dbms type="db2" />
|
||||
</not>
|
||||
</preConditions>
|
||||
|
||||
<delete tableName="CLIENT_SESSION_ROLE"/>
|
||||
<delete tableName="CLIENT_SESSION_NOTE"/>
|
||||
<delete tableName="CLIENT_SESSION"/>
|
||||
|
|
|
@ -16,8 +16,12 @@
|
|||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<databaseChangeLog logicalFilePath="META-INF/db2-jpa-changelog-1.4.0.xml" xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="bburke@redhat.com" id="1.4.0">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<dbms type="db2" />
|
||||
</preConditions>
|
||||
|
||||
<delete tableName="CLIENT_SESSION_AUTH_STATUS"/>
|
||||
<delete tableName="CLIENT_SESSION_ROLE"/>
|
||||
<delete tableName="CLIENT_SESSION_PROT_MAPPER"/>
|
|
@ -18,6 +18,12 @@
|
|||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="bburke@redhat.com" id="1.4.0">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<not>
|
||||
<dbms type="db2" />
|
||||
</not>
|
||||
</preConditions>
|
||||
|
||||
<delete tableName="CLIENT_SESSION_AUTH_STATUS"/>
|
||||
<delete tableName="CLIENT_SESSION_ROLE"/>
|
||||
<delete tableName="CLIENT_SESSION_PROT_MAPPER"/>
|
||||
|
|
|
@ -16,8 +16,11 @@
|
|||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<databaseChangeLog logicalFilePath="META-INF/db2-jpa-changelog-1.8.0.xml" xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="mposolda@redhat.com" id="1.8.0">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<dbms type="db2" />
|
||||
</preConditions>
|
||||
|
||||
<addColumn tableName="IDENTITY_PROVIDER">
|
||||
<column name="POST_BROKER_LOGIN_FLOW_ID" type="VARCHAR(36)">
|
||||
|
@ -134,6 +137,10 @@
|
|||
</changeSet>
|
||||
|
||||
<changeSet id="1.8.0-2" author="keycloak">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<dbms type="db2" />
|
||||
</preConditions>
|
||||
|
||||
<dropDefaultValue tableName="CREDENTIAL" columnName="ALGORITHM" columnDataType="VARCHAR(36)"/>
|
||||
|
||||
<update tableName="CREDENTIAL">
|
|
@ -18,6 +18,11 @@
|
|||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="mposolda@redhat.com" id="1.8.0">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<not>
|
||||
<dbms type="db2" />
|
||||
</not>
|
||||
</preConditions>
|
||||
|
||||
<addColumn tableName="IDENTITY_PROVIDER">
|
||||
<column name="POST_BROKER_LOGIN_FLOW_ID" type="VARCHAR(36)">
|
||||
|
@ -130,6 +135,12 @@
|
|||
</changeSet>
|
||||
|
||||
<changeSet id="1.8.0-2" author="keycloak">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<not>
|
||||
<dbms type="db2" />
|
||||
</not>
|
||||
</preConditions>
|
||||
|
||||
<dropDefaultValue tableName="CREDENTIAL" columnName="ALGORITHM" columnDataType="VARCHAR(36)"/>
|
||||
|
||||
<update tableName="CREDENTIAL">
|
||||
|
|
|
@ -16,8 +16,12 @@
|
|||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<databaseChangeLog logicalFilePath="META-INF/db2-jpa-changelog-1.9.1.xml" xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="keycloak" id="1.9.1">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<dbms type="db2" />
|
||||
</preConditions>
|
||||
|
||||
<!-- Can't increase publicKey on DB2 due the DB2 SQL Error: SQLCODE=-670, SQLSTATE=54010, SQLERRMC=16293;USERSPACE1, DRIVER=4.19.26 . Need to find better solution -->
|
||||
<modifyDataType tableName="REALM" columnName="PRIVATE_KEY" newDataType="VARCHAR(4000)"/>
|
||||
<!--<modifyDataType tableName="REALM" columnName="PUBLIC_KEY" newDataType="VARCHAR(4000)"/>-->
|
|
@ -18,6 +18,12 @@
|
|||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
|
||||
<changeSet author="keycloak" id="1.9.1">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<not>
|
||||
<dbms type="db2" />
|
||||
</not>
|
||||
</preConditions>
|
||||
|
||||
<modifyDataType tableName="REALM" columnName="PRIVATE_KEY" newDataType="VARCHAR(4000)"/>
|
||||
<modifyDataType tableName="REALM" columnName="PUBLIC_KEY" newDataType="VARCHAR(4000)"/>
|
||||
<modifyDataType tableName="REALM" columnName="CERTIFICATE" newDataType="VARCHAR(4000)"/>
|
||||
|
|
|
@ -18,19 +18,25 @@
|
|||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.2.xsd">
|
||||
<include file="META-INF/jpa-changelog-1.0.0.Final.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.0.0.Final-db2.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.1.0.Beta1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.1.0.Final.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.2.0.Beta1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.2.0.Beta1-db2.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.2.0.CR1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.2.0.CR1-db2.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.2.0.Final.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.3.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.4.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.4.0-db2.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.5.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.6.1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.7.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.8.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.8.0-db2.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.9.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.9.1.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.9.1-db2.xml"/>
|
||||
<include file="META-INF/jpa-changelog-1.9.2.xml"/>
|
||||
|
||||
<include file="META-INF/jpa-changelog-authz-master.xml"/>
|
||||
|
|
|
@ -31,10 +31,7 @@ import org.keycloak.authorization.store.ScopeStore;
|
|||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.common.enums.SslRequired;
|
||||
import org.keycloak.common.util.Base64;
|
||||
import org.keycloak.common.util.CertificateUtils;
|
||||
import org.keycloak.common.util.KeyUtils;
|
||||
import org.keycloak.common.util.MultivaluedHashMap;
|
||||
import org.keycloak.common.util.PemUtils;
|
||||
import org.keycloak.common.util.UriUtils;
|
||||
import org.keycloak.component.ComponentModel;
|
||||
import org.keycloak.credential.CredentialModel;
|
||||
|
@ -108,11 +105,7 @@ import org.keycloak.storage.federated.UserFederatedStorageProvider;
|
|||
import org.keycloak.util.JsonSerialization;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.KeyPair;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedList;
|
||||
|
@ -1938,7 +1931,18 @@ public class RepresentationToModel {
|
|||
toModel(resourceRepresentation, resourceServer, authorization);
|
||||
});
|
||||
|
||||
rep.getPolicies().forEach(policyRepresentation -> {
|
||||
importPolicies(authorization, resourceServer, rep.getPolicies(), null);
|
||||
}
|
||||
|
||||
private static Policy importPolicies(AuthorizationProvider authorization, ResourceServer resourceServer, List<PolicyRepresentation> policiesToImport, String parentPolicyName) {
|
||||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
KeycloakSession session = authorization.getKeycloakSession();
|
||||
RealmModel realm = authorization.getRealm();
|
||||
for (PolicyRepresentation policyRepresentation : policiesToImport) {
|
||||
if (parentPolicyName != null && !parentPolicyName.equals(policyRepresentation.getName())) {
|
||||
continue;
|
||||
}
|
||||
|
||||
Map<String, String> config = policyRepresentation.getConfig();
|
||||
|
||||
String roles = config.get("roles");
|
||||
|
@ -1971,6 +1975,16 @@ public class RepresentationToModel {
|
|||
.findFirst().orElse(null);
|
||||
}
|
||||
|
||||
if (role == null) {
|
||||
role = realm.getRoleById(roleName);
|
||||
|
||||
if (role == null) {
|
||||
String finalRoleName1 = roleName;
|
||||
role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName1)).filter(roleModel -> roleModel != null)
|
||||
.findFirst().orElse(null);
|
||||
}
|
||||
}
|
||||
|
||||
if (role == null) {
|
||||
throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
|
||||
}
|
||||
|
@ -1988,7 +2002,19 @@ public class RepresentationToModel {
|
|||
if (users != null && !users.isEmpty()) {
|
||||
try {
|
||||
List<String> usersMap = JsonSerialization.readValue(users, List.class);
|
||||
config.put("users", JsonSerialization.writeValueAsString(usersMap.stream().map(userName -> session.users().getUserByUsername(userName, realm).getId()).collect(Collectors.toList())));
|
||||
config.put("users", JsonSerialization.writeValueAsString(usersMap.stream().map(userId -> {
|
||||
UserModel user = session.users().getUserByUsername(userId, realm);
|
||||
|
||||
if (user == null) {
|
||||
user = session.users().getUserById(userId, realm);
|
||||
}
|
||||
|
||||
if (user == null) {
|
||||
throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
|
||||
}
|
||||
|
||||
return user.getId();
|
||||
}).collect(Collectors.toList())));
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
|
||||
}
|
||||
|
@ -1998,10 +2024,15 @@ public class RepresentationToModel {
|
|||
|
||||
if (scopes != null && !scopes.isEmpty()) {
|
||||
try {
|
||||
ScopeStore scopeStore = storeFactory.getScopeStore();
|
||||
List<String> scopesMap = JsonSerialization.readValue(scopes, List.class);
|
||||
config.put("scopes", JsonSerialization.writeValueAsString(scopesMap.stream().map(scopeName -> {
|
||||
Scope newScope = scopeStore.findByName(scopeName, resourceServer.getId());
|
||||
|
||||
if (newScope == null) {
|
||||
newScope = scopeStore.findById(scopeName);
|
||||
}
|
||||
|
||||
if (newScope == null) {
|
||||
throw new RuntimeException("Scope with name [" + scopeName + "] not defined.");
|
||||
}
|
||||
|
@ -2019,8 +2050,21 @@ public class RepresentationToModel {
|
|||
ResourceStore resourceStore = storeFactory.getResourceStore();
|
||||
try {
|
||||
List<String> resources = JsonSerialization.readValue(policyResources, List.class);
|
||||
config.put("resources", JsonSerialization.writeValueAsString(resources.stream().map(resourceName -> {
|
||||
return resourceStore.findByName(resourceName, resourceServer.getId()).getId();
|
||||
config.put("resources", JsonSerialization.writeValueAsString(resources.stream().map(new Function<String, String>() {
|
||||
@Override
|
||||
public String apply(String resourceName) {
|
||||
Resource resource = resourceStore.findByName(resourceName, resourceServer.getId());
|
||||
|
||||
if (resource == null) {
|
||||
resource = resourceStore.findById(resourceName);
|
||||
}
|
||||
|
||||
if (resource == null) {
|
||||
throw new RuntimeException("Resource with name [" + resourceName + "] not defined.");
|
||||
}
|
||||
|
||||
return resource.getId();
|
||||
}
|
||||
}).collect(Collectors.toList())));
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
|
||||
|
@ -2036,9 +2080,16 @@ public class RepresentationToModel {
|
|||
config.put("applyPolicies", JsonSerialization.writeValueAsString(policies.stream().map(policyName -> {
|
||||
Policy policy = policyStore.findByName(policyName, resourceServer.getId());
|
||||
|
||||
if (policy == null) {
|
||||
policy = policyStore.findById(policyName);
|
||||
}
|
||||
|
||||
if (policy == null) {
|
||||
policy = importPolicies(authorization, resourceServer, policiesToImport, policyName);
|
||||
if (policy == null) {
|
||||
throw new RuntimeException("Policy with name [" + policyName + "] not defined.");
|
||||
}
|
||||
}
|
||||
|
||||
return policy.getId();
|
||||
}).collect(Collectors.toList())));
|
||||
|
@ -2047,8 +2098,14 @@ public class RepresentationToModel {
|
|||
}
|
||||
}
|
||||
|
||||
if (parentPolicyName == null) {
|
||||
toModel(policyRepresentation, resourceServer, authorization);
|
||||
});
|
||||
} else if (parentPolicyName.equals(policyRepresentation.getName())) {
|
||||
return toModel(policyRepresentation, resourceServer, authorization);
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
public static Policy toModel(PolicyRepresentation policy, ResourceServer resourceServer, AuthorizationProvider authorization) {
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.testsuite.admin.client.authorization;
|
||||
|
||||
import static com.sun.corba.se.impl.oa.poa.Policies.defaultPolicies;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.AuthorizationResource;
|
||||
import org.keycloak.admin.client.resource.ClientResource;
|
||||
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.representations.idm.RoleRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
public class ImportAuthorizationSettingsTest extends AbstractAuthorizationTest {
|
||||
|
||||
@Test
|
||||
public void testImportUnorderedSettings() throws Exception {
|
||||
ClientResource clientResource = getClientResource();
|
||||
|
||||
enableAuthorizationServices();
|
||||
|
||||
ResourceServerRepresentation toImport = JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/import-authorization-unordered-settings.json"), ResourceServerRepresentation.class);
|
||||
|
||||
realmsResouce().realm(getRealmId()).roles().create(new RoleRepresentation("user", null, false));
|
||||
clientResource.roles().create(new RoleRepresentation("manage-albums", null, false));
|
||||
|
||||
AuthorizationResource authorizationResource = clientResource.authorization();
|
||||
|
||||
authorizationResource.importSettings(toImport);
|
||||
|
||||
assertEquals(13, authorizationResource.policies().policies().size());
|
||||
}
|
||||
}
|
|
@ -0,0 +1,183 @@
|
|||
{
|
||||
"allowRemoteResourceManagement": true,
|
||||
"policyEnforcementMode": "ENFORCING",
|
||||
"resources": [
|
||||
{
|
||||
"name": "User Profile Resource",
|
||||
"uri": "/profile",
|
||||
"type": "http://photoz.com/profile",
|
||||
"scopes": [
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:profile:view"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "Album Resource",
|
||||
"uri": "/album/*",
|
||||
"type": "http://photoz.com/album",
|
||||
"scopes": [
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:album:view"
|
||||
},
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:album:delete"
|
||||
},
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:album:create"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "Admin Resources",
|
||||
"uri": "/admin/*",
|
||||
"type": "http://photoz.com/admin",
|
||||
"scopes": [
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:album:admin:manage"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"policies": [
|
||||
{
|
||||
"name": "View User Permission",
|
||||
"description": "Defines who is allowed to view an user profile",
|
||||
"type": "scope",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"applyPolicies": "[\"Only From @keycloak.org or Admin\"]",
|
||||
"scopes": "[\"urn:photoz.com:scopes:profile:view\"]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Only Owner Policy",
|
||||
"description": "Defines that only the resource owner is allowed to do something",
|
||||
"type": "drools",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"mavenArtifactVersion": "${project.version}",
|
||||
"mavenArtifactId": "photoz-authz-policy",
|
||||
"sessionName": "MainOwnerSession",
|
||||
"mavenArtifactGroupId": "org.keycloak",
|
||||
"moduleName": "PhotozAuthzOwnerPolicy",
|
||||
"scannerPeriod": "1",
|
||||
"scannerPeriodUnit": "Hours"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Any User Policy",
|
||||
"description": "Defines that only users from well known clients are allowed to access",
|
||||
"type": "role",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"roles": "[{\"id\":\"user\"},{\"id\":\"manage-albums\",\"required\":true}]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Only From a Specific Client Address",
|
||||
"description": "Defines that only clients from a specific address can do something",
|
||||
"type": "js",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"code": "var contextAttributes = $evaluation.getContext().getAttributes();\n\nif (contextAttributes.containsValue('kc.client.network.ip_address', '127.0.0.1')) {\n $evaluation.grant();\n}"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Administration Policy",
|
||||
"description": "Defines that only administrators from a specific network address can do something.",
|
||||
"type": "aggregate",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"applyPolicies": "[\"Only From a Specific Client Address\",\"Any Admin Policy\"]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Only Owner and Administrators Policy",
|
||||
"description": "Defines that only the resource owner and administrators can do something",
|
||||
"type": "aggregate",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "AFFIRMATIVE",
|
||||
"config": {
|
||||
"applyPolicies": "[\"Administration Policy\",\"Only Owner Policy\"]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Album Resource Permission",
|
||||
"description": "General policies that apply to all album resources.",
|
||||
"type": "resource",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "AFFIRMATIVE",
|
||||
"config": {
|
||||
"defaultResourceType": "http://photoz.com/album",
|
||||
"default": "true",
|
||||
"applyPolicies": "[\"Any User Policy\",\"Administration Policy\"]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Admin Resource Permission",
|
||||
"description": "General policy for any administrative resource.",
|
||||
"type": "resource",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"defaultResourceType": "http://photoz.com/admin",
|
||||
"default": "true",
|
||||
"applyPolicies": "[\"Administration Policy\"]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Delete Album Permission",
|
||||
"description": "A policy that only allows the owner to delete his albums.",
|
||||
"type": "scope",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"applyPolicies": "[\"Only Owner and Administrators Policy\"]",
|
||||
"scopes": "[\"urn:photoz.com:scopes:album:delete\"]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Any Admin Policy",
|
||||
"description": "Defines that adminsitrators can do something",
|
||||
"type": "role",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"roles": "[{\"id\":\"admin\",\"required\":true}]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "Only From @keycloak.org or Admin",
|
||||
"description": "Defines that only users from @keycloak.org",
|
||||
"type": "js",
|
||||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"
|
||||
}
|
||||
}
|
||||
],
|
||||
"scopes": [
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:profile:view"
|
||||
},
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:album:view"
|
||||
},
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:album:create"
|
||||
},
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:album:delete"
|
||||
},
|
||||
{
|
||||
"name": "urn:photoz.com:scopes:album:admin:manage"
|
||||
}
|
||||
]
|
||||
}
|
Loading…
Reference in a new issue