KEYCLOAK-5827 Retrieve member attribute from LDAP on group/role queries just when necessary

This commit is contained in:
mposolda 2017-11-15 14:51:17 +01:00
parent c4a1764801
commit bd25040e22
3 changed files with 35 additions and 24 deletions

View file

@ -76,7 +76,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
@Override @Override
public LDAPQuery createLDAPGroupQuery() { public LDAPQuery createLDAPGroupQuery() {
return createGroupQuery(); return createGroupQuery(false);
} }
@Override @Override
@ -88,7 +88,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
// LDAP Group CRUD operations // LDAP Group CRUD operations
public LDAPQuery createGroupQuery() { public LDAPQuery createGroupQuery(boolean includeMemberAttribute) {
LDAPQuery ldapQuery = new LDAPQuery(ldapProvider); LDAPQuery ldapQuery = new LDAPQuery(ldapProvider);
// For now, use same search scope, which is configured "globally" and used for user's search. // For now, use same search scope, which is configured "globally" and used for user's search.
@ -107,7 +107,11 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
} }
ldapQuery.addReturningLdapAttribute(config.getGroupNameLdapAttribute()); ldapQuery.addReturningLdapAttribute(config.getGroupNameLdapAttribute());
ldapQuery.addReturningLdapAttribute(config.getMembershipLdapAttribute());
// Performance improvement
if (includeMemberAttribute) {
ldapQuery.addReturningLdapAttribute(config.getMembershipLdapAttribute());
}
for (String groupAttr : config.getGroupAttributes()) { for (String groupAttr : config.getGroupAttributes()) {
ldapQuery.addReturningLdapAttribute(groupAttr); ldapQuery.addReturningLdapAttribute(groupAttr);
@ -125,7 +129,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
} }
public LDAPObject loadLDAPGroupByName(String groupName) { public LDAPObject loadLDAPGroupByName(String groupName) {
LDAPQuery ldapQuery = createGroupQuery(); LDAPQuery ldapQuery = createGroupQuery(true);
Condition roleNameCondition = new LDAPQueryConditionsBuilder().equal(config.getGroupNameLdapAttribute(), groupName); Condition roleNameCondition = new LDAPQueryConditionsBuilder().equal(config.getGroupNameLdapAttribute(), groupName);
ldapQuery.addWhereCondition(roleNameCondition); ldapQuery.addWhereCondition(roleNameCondition);
return ldapQuery.getFirstResult(); return ldapQuery.getFirstResult();
@ -153,7 +157,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
logger.debugf("Syncing groups from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName()); logger.debugf("Syncing groups from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName());
// Get all LDAP groups // Get all LDAP groups
List<LDAPObject> ldapGroups = getAllLDAPGroups(); List<LDAPObject> ldapGroups = getAllLDAPGroups(config.isPreserveGroupsInheritance());
// Convert to internal format // Convert to internal format
Map<String, LDAPObject> ldapGroupsMap = new HashMap<>(); Map<String, LDAPObject> ldapGroupsMap = new HashMap<>();
@ -163,12 +167,15 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
for (LDAPObject ldapGroup : ldapGroups) { for (LDAPObject ldapGroup : ldapGroups) {
String groupName = ldapGroup.getAttributeAsString(groupsRdnAttr); String groupName = ldapGroup.getAttributeAsString(groupsRdnAttr);
Set<String> subgroupNames = new HashSet<>(); if (config.isPreserveGroupsInheritance()) {
for (LDAPDn groupDn : getLDAPSubgroups(ldapGroup)) { Set<String> subgroupNames = new HashSet<>();
subgroupNames.add(groupDn.getFirstRdnAttrValue()); for (LDAPDn groupDn : getLDAPSubgroups(ldapGroup)) {
subgroupNames.add(groupDn.getFirstRdnAttrValue());
}
ldapGroupsRep.add(new GroupTreeResolver.Group(groupName, subgroupNames));
} }
ldapGroupsRep.add(new GroupTreeResolver.Group(groupName, subgroupNames));
ldapGroupsMap.put(groupName, ldapGroup); ldapGroupsMap.put(groupName, ldapGroup);
} }
@ -342,8 +349,8 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
} }
// Send LDAP query to retrieve all groups // Send LDAP query to retrieve all groups
protected List<LDAPObject> getAllLDAPGroups() { protected List<LDAPObject> getAllLDAPGroups(boolean includeMemberAttribute) {
LDAPQuery ldapGroupQuery = createGroupQuery(); LDAPQuery ldapGroupQuery = createGroupQuery(includeMemberAttribute);
return LDAPUtils.loadAllLDAPObjects(ldapGroupQuery, ldapProvider); return LDAPUtils.loadAllLDAPObjects(ldapGroupQuery, ldapProvider);
} }
@ -368,7 +375,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
logger.debugf("Syncing groups from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName()); logger.debugf("Syncing groups from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName());
// Query existing LDAP groups // Query existing LDAP groups
LDAPQuery ldapQuery = createGroupQuery(); LDAPQuery ldapQuery = createGroupQuery(config.isPreserveGroupsInheritance());
List<LDAPObject> ldapGroups = ldapQuery.getResultList(); List<LDAPObject> ldapGroups = ldapQuery.getResultList();
// Convert them to Map<String, LDAPObject> // Convert them to Map<String, LDAPObject>
@ -615,7 +622,7 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
@Override @Override
public void leaveGroup(GroupModel group) { public void leaveGroup(GroupModel group) {
LDAPQuery ldapQuery = createGroupQuery(); LDAPQuery ldapQuery = createGroupQuery(true);
LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder(); LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
Condition roleNameCondition = conditionsBuilder.equal(config.getGroupNameLdapAttribute(), group.getName()); Condition roleNameCondition = conditionsBuilder.equal(config.getGroupNameLdapAttribute(), group.getName());

View file

@ -68,7 +68,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
@Override @Override
public LDAPQuery createLDAPGroupQuery() { public LDAPQuery createLDAPGroupQuery() {
return createRoleQuery(); return createRoleQuery(false);
} }
@Override @Override
@ -124,7 +124,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
logger.debugf("Syncing roles from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName()); logger.debugf("Syncing roles from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName());
// Send LDAP query to load all roles // Send LDAP query to load all roles
LDAPQuery ldapRoleQuery = createRoleQuery(); LDAPQuery ldapRoleQuery = createRoleQuery(false);
List<LDAPObject> ldapRoles = LDAPUtils.loadAllLDAPObjects(ldapRoleQuery, ldapProvider); List<LDAPObject> ldapRoles = LDAPUtils.loadAllLDAPObjects(ldapRoleQuery, ldapProvider);
RoleContainerModel roleContainer = getTargetRoleContainer(realm); RoleContainerModel roleContainer = getTargetRoleContainer(realm);
@ -165,8 +165,8 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
logger.debugf("Syncing roles from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName()); logger.debugf("Syncing roles from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName());
// Send LDAP query to see which roles exists there // Send LDAP query to see which roles exists there
LDAPQuery ldapQuery = createRoleQuery(); LDAPQuery ldapQuery = createRoleQuery(false);
List<LDAPObject> ldapRoles = ldapQuery.getResultList(); List<LDAPObject> ldapRoles = LDAPUtils.loadAllLDAPObjects(ldapQuery, ldapProvider);
Set<String> ldapRoleNames = new HashSet<>(); Set<String> ldapRoleNames = new HashSet<>();
String rolesRdnAttr = config.getRoleNameLdapAttribute(); String rolesRdnAttr = config.getRoleNameLdapAttribute();
@ -194,7 +194,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
} }
// TODO: Possible to merge with GroupMapper and move to common class // TODO: Possible to merge with GroupMapper and move to common class
public LDAPQuery createRoleQuery() { public LDAPQuery createRoleQuery(boolean includeMemberAttribute) {
LDAPQuery ldapQuery = new LDAPQuery(ldapProvider); LDAPQuery ldapQuery = new LDAPQuery(ldapProvider);
// For now, use same search scope, which is configured "globally" and used for user's search. // For now, use same search scope, which is configured "globally" and used for user's search.
@ -214,9 +214,13 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
ldapQuery.addWhereCondition(customFilterCondition); ldapQuery.addWhereCondition(customFilterCondition);
} }
String membershipAttr = config.getMembershipLdapAttribute();
ldapQuery.addReturningLdapAttribute(rolesRdnAttr); ldapQuery.addReturningLdapAttribute(rolesRdnAttr);
ldapQuery.addReturningLdapAttribute(membershipAttr);
// Performance improvement
if (includeMemberAttribute) {
String membershipAttr = config.getMembershipLdapAttribute();
ldapQuery.addReturningLdapAttribute(membershipAttr);
}
return ldapQuery; return ldapQuery;
} }
@ -264,7 +268,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
} }
public LDAPObject loadLDAPRoleByName(String roleName) { public LDAPObject loadLDAPRoleByName(String roleName) {
LDAPQuery ldapQuery = createRoleQuery(); LDAPQuery ldapQuery = createRoleQuery(true);
Condition roleNameCondition = new LDAPQueryConditionsBuilder().equal(config.getRoleNameLdapAttribute(), roleName); Condition roleNameCondition = new LDAPQueryConditionsBuilder().equal(config.getRoleNameLdapAttribute(), roleName);
ldapQuery.addWhereCondition(roleNameCondition); ldapQuery.addWhereCondition(roleNameCondition);
return ldapQuery.getFirstResult(); return ldapQuery.getFirstResult();
@ -430,7 +434,7 @@ public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements
public void deleteRoleMapping(RoleModel role) { public void deleteRoleMapping(RoleModel role) {
if (role.getContainer().equals(roleContainer)) { if (role.getContainer().equals(roleContainer)) {
LDAPQuery ldapQuery = createRoleQuery(); LDAPQuery ldapQuery = createRoleQuery(true);
LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder(); LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
Condition roleNameCondition = conditionsBuilder.equal(config.getRoleNameLdapAttribute(), role.getName()); Condition roleNameCondition = conditionsBuilder.equal(config.getRoleNameLdapAttribute(), role.getName());

View file

@ -281,7 +281,7 @@ public class LDAPTestUtils {
public static void removeAllLDAPRoles(KeycloakSession session, RealmModel appRealm, ComponentModel ldapModel, String mapperName) { public static void removeAllLDAPRoles(KeycloakSession session, RealmModel appRealm, ComponentModel ldapModel, String mapperName) {
ComponentModel mapperModel = getSubcomponentByName(appRealm, ldapModel, mapperName); ComponentModel mapperModel = getSubcomponentByName(appRealm, ldapModel, mapperName);
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel); LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
LDAPQuery roleQuery = getRoleMapper(mapperModel, ldapProvider, appRealm).createRoleQuery(); LDAPQuery roleQuery = getRoleMapper(mapperModel, ldapProvider, appRealm).createRoleQuery(false);
List<LDAPObject> ldapRoles = roleQuery.getResultList(); List<LDAPObject> ldapRoles = roleQuery.getResultList();
for (LDAPObject ldapRole : ldapRoles) { for (LDAPObject ldapRole : ldapRoles) {
ldapProvider.getLdapIdentityStore().remove(ldapRole); ldapProvider.getLdapIdentityStore().remove(ldapRole);
@ -291,7 +291,7 @@ public class LDAPTestUtils {
public static void removeAllLDAPGroups(KeycloakSession session, RealmModel appRealm, ComponentModel ldapModel, String mapperName) { public static void removeAllLDAPGroups(KeycloakSession session, RealmModel appRealm, ComponentModel ldapModel, String mapperName) {
ComponentModel mapperModel = getSubcomponentByName(appRealm, ldapModel, mapperName); ComponentModel mapperModel = getSubcomponentByName(appRealm, ldapModel, mapperName);
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel); LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
LDAPQuery roleQuery = getGroupMapper(mapperModel, ldapProvider, appRealm).createGroupQuery(); LDAPQuery roleQuery = getGroupMapper(mapperModel, ldapProvider, appRealm).createGroupQuery(false);
List<LDAPObject> ldapRoles = roleQuery.getResultList(); List<LDAPObject> ldapRoles = roleQuery.getResultList();
for (LDAPObject ldapRole : ldapRoles) { for (LDAPObject ldapRole : ldapRoles) {
ldapProvider.getLdapIdentityStore().remove(ldapRole); ldapProvider.getLdapIdentityStore().remove(ldapRole);