Merge pull request #72 from patriot1burke/master

Bootstrapping
This commit is contained in:
Bill Burke 2013-10-16 06:00:59 -07:00
commit c56433883c
30 changed files with 230 additions and 404 deletions

View file

@ -24,14 +24,8 @@
<li>
<span class="dropdown-label" data-ng-show="showNav()">Realm:</span>
<div class="dropdown" data-ng-show="showNav()">
<a data-toggle="dropdown" class="dropdown-toggle" href="#">My First Realm</a>
<ul class="dropdown-menu">
<li class="selected"><a href="#">My First Realm</a></li>
<li><a href="#">Another Realm</a></li>
<li><a href="#">Some realm with a freaking gigantic name</a></li>
</ul>
<select ng-change="changeRealm()" ng-model="current.realm" ng-options="r.realm for r in current.realms"></select>
</div>
<!-- This component should be replaced by the dropdown-menu above --> <li class="select-rcue" data-ng-show="showNav()"><select ng-change="changeRealm()" ng-model="current.realm" ng-options="r.realm for r in current.realms"></select></li>
</li>
</ul>
<div class="pull-right" data-ng-show="auth.loggedIn">

View file

@ -1,13 +1,12 @@
package org.keycloak.example.demo;
import org.jboss.resteasy.jwt.JsonSerialization;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.services.resources.KeycloakApplication;
import org.keycloak.services.resources.SaasService;
import javax.servlet.ServletContext;
import javax.ws.rs.core.Context;
@ -24,27 +23,13 @@ public class DemoApplication extends KeycloakApplication {
super(servletContext);
KeycloakSession session = factory.createSession();
session.getTransaction().begin();
RealmManager realmManager = new RealmManager(session);
if (realmManager.defaultRealm() == null) {
install(realmManager);
}
ApplianceBootstrap bootstrap = new ApplianceBootstrap();
bootstrap.bootstrap(session);
install(new RealmManager(session));
session.getTransaction().commit();
}
public void install(RealmManager manager) {
RealmModel defaultRealm = manager.createRealm(RealmModel.DEFAULT_REALM, RealmModel.DEFAULT_REALM);
defaultRealm.setName(RealmModel.DEFAULT_REALM);
defaultRealm.setEnabled(true);
defaultRealm.setTokenLifespan(300);
defaultRealm.setAccessCodeLifespan(60);
defaultRealm.setSslNotRequired(true);
defaultRealm.setCookieLoginAllowed(true);
defaultRealm.setRegistrationAllowed(true);
manager.generateRealmKeys(defaultRealm);
defaultRealm.addRequiredCredential(CredentialRepresentation.PASSWORD);
defaultRealm.addRole(SaasService.REALM_CREATOR_ROLE);
defaultRealm.addDefaultRole(SaasService.REALM_CREATOR_ROLE);
RealmRepresentation rep = loadJson("META-INF/testrealm.json");
RealmModel realm = manager.createRealm("demo", rep.getRealm());
manager.importRealm(rep, realm);

View file

@ -1,4 +1,5 @@
#!/bin/bash
# dev setup
if [ -z "$JBOSS_HOME"]; then
echo "Need toset JBOSS_HOME"

View file

@ -1,19 +1,19 @@
package org.keycloak.example.demo;
import org.jboss.resteasy.jwt.JsonSerialization;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.services.resources.KeycloakApplication;
import org.keycloak.services.resources.SaasService;
import javax.servlet.ServletContext;
import javax.ws.rs.core.Context;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
@ -24,27 +24,13 @@ public class DemoApplication extends KeycloakApplication {
super(servletContext);
KeycloakSession session = factory.createSession();
session.getTransaction().begin();
RealmManager realmManager = new RealmManager(session);
if (realmManager.defaultRealm() == null) {
install(realmManager);
}
ApplianceBootstrap bootstrap = new ApplianceBootstrap();
bootstrap.bootstrap(session);
install(new RealmManager(session));
session.getTransaction().commit();
}
public void install(RealmManager manager) {
RealmModel defaultRealm = manager.createRealm(RealmModel.DEFAULT_REALM, RealmModel.DEFAULT_REALM);
defaultRealm.setName(RealmModel.DEFAULT_REALM);
defaultRealm.setEnabled(true);
defaultRealm.setTokenLifespan(300);
defaultRealm.setAccessCodeLifespan(60);
defaultRealm.setSslNotRequired(true);
defaultRealm.setCookieLoginAllowed(true);
defaultRealm.setRegistrationAllowed(true);
manager.generateRealmKeys(defaultRealm);
defaultRealm.addRequiredCredential(CredentialRepresentation.PASSWORD);
defaultRealm.addRole(SaasService.REALM_CREATOR_ROLE);
defaultRealm.addDefaultRole(SaasService.REALM_CREATOR_ROLE);
RealmRepresentation rep = loadJson("META-INF/testrealm.json");
RealmModel realm = manager.createRealm("demo", rep.getRealm());
manager.importRealm(rep, realm);

View file

@ -0,0 +1,3 @@
<jboss-web>
<symbolic-linking-enabled>true</symbolic-linking-enabled>
</jboss-web>

View file

@ -35,5 +35,6 @@
</build>
<modules>
<module>as7-eap-demo</module>
<module>as7-eap-dev</module>
</modules>
</project>

View file

@ -21,6 +21,7 @@
*/
package org.keycloak.forms;
import org.keycloak.models.Constants;
import org.keycloak.models.RealmModel;
/**
@ -35,7 +36,7 @@ public class RealmBean {
public RealmBean(RealmModel realmModel) {
realm = realmModel;
saas = RealmModel.DEFAULT_REALM.equals(realmModel.getName());
saas = Constants.ADMIN_REALM.equals(realmModel.getId());
}
public String getId() {

View file

@ -0,0 +1,14 @@
package org.keycloak.models;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public interface Constants {
String ADMIN_REALM = "Keycloak Adminstration";
String ADMIN_CONSOLE_APPLICATION = "Admin Console";
String ADMIN_CONSOLE_ADMIN_ROLE = "admin";
String APPLICATION_ROLE = "KEYCLOAK_APPLICATION";
String IDENTITY_REQUESTER_ROLE = "KEYCLOAK_IDENTITY_REQUESTER";
String WILDCARD_ROLE = "*";
}

View file

@ -11,7 +11,6 @@ import java.util.Set;
* @version $Revision: 1 $
*/
public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMapperModel {
String DEFAULT_REALM = "default";
String getId();
@ -97,11 +96,6 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
ApplicationModel addApplication(String name);
boolean isRealmAdmin(UserModel agent);
void addRealmAdmin(UserModel agent);
List<RequiredCredentialModel> getRequiredApplicationCredentials();

View file

@ -71,6 +71,7 @@ public class ApplicationAdapter implements ApplicationModel {
@Override
public void setName(String name) {
applicationData.setResourceName(name);
updateApplication();
}
@Override
@ -81,6 +82,7 @@ public class ApplicationAdapter implements ApplicationModel {
@Override
public void setEnabled(boolean enabled) {
applicationData.setEnabled(enabled);
updateApplication();
}
@Override
@ -91,6 +93,7 @@ public class ApplicationAdapter implements ApplicationModel {
@Override
public void setSurrogateAuthRequired(boolean surrogateAuthRequired) {
applicationData.setSurrogateAuthRequired(surrogateAuthRequired);
updateApplication();
}
@Override
@ -101,6 +104,7 @@ public class ApplicationAdapter implements ApplicationModel {
@Override
public void setManagementUrl(String url) {
applicationData.setManagementUrl(url);
updateApplication();
}
@Override
@ -111,6 +115,7 @@ public class ApplicationAdapter implements ApplicationModel {
@Override
public void setBaseUrl(String url) {
applicationData.setBaseUrl(url);
updateApplication();
}
@Override

View file

@ -6,6 +6,7 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.picketlink.mappings.RealmData;
import org.keycloak.models.picketlink.relationships.RealmAdminRelationship;
import org.keycloak.models.picketlink.relationships.RealmListingRelationship;
import org.keycloak.models.utils.KeycloakSessionUtils;
import org.picketlink.idm.PartitionManager;
import org.picketlink.idm.RelationshipManager;
@ -56,18 +57,24 @@ public class PicketlinkKeycloakSession implements KeycloakSession {
newRealm.setId(id);
newRealm.setRealmName(name);
partitionManager.add(newRealm);
RealmListingRelationship rel = new RealmListingRelationship();
// picketlink beta 6 uses Realm name for lookup! Don't forget!
rel.setRealm(newRealm.getName());
partitionManager.createRelationshipManager().add(rel);
RealmAdapter realm = new RealmAdapter(this, newRealm, partitionManager);
return realm;
}
@Override
public List<RealmModel> getRealms(UserModel admin) {
// todo ability to assign realm management to a specific admin
// currently each admin is allowed to access all realms so just do a big query
RelationshipManager relationshipManager = partitionManager.createRelationshipManager();
RelationshipQuery<RealmAdminRelationship> query = relationshipManager.createRelationshipQuery(RealmAdminRelationship.class);
query.setParameter(RealmAdminRelationship.ADMIN, ((UserAdapter)admin).getUser());
List<RealmAdminRelationship> results = query.getResultList();
RelationshipQuery<RealmListingRelationship> query = relationshipManager.createRelationshipQuery(RealmListingRelationship.class);
List<RealmListingRelationship> results = query.getResultList();
List<RealmModel> realmModels = new ArrayList<RealmModel>();
for (RealmAdminRelationship relationship : results) {
for (RealmListingRelationship relationship : results) {
String realmName = relationship.getRealm();
RealmModel model = getRealm(realmName);
if (model == null) {
@ -81,6 +88,7 @@ public class PicketlinkKeycloakSession implements KeycloakSession {
@Override
public RealmAdapter getRealm(String id) {
// picketlink beta 6 uses Realm name for lookup! Don't forget!
RealmData existing = partitionManager.getPartition(RealmData.class, id);
if (existing == null) {
return null;

View file

@ -753,23 +753,6 @@ public class RealmAdapter implements RealmModel {
return set;
}
@Override
public boolean isRealmAdmin(UserModel agent) {
RelationshipQuery<RealmAdminRelationship> query = getRelationshipManager().createRelationshipQuery(RealmAdminRelationship.class);
query.setParameter(RealmAdminRelationship.REALM, realm.getName());
query.setParameter(RealmAdminRelationship.ADMIN, ((UserAdapter)agent).getUser());
List<RealmAdminRelationship> results = query.getResultList();
return results.size() > 0;
}
@Override
public void addRealmAdmin(UserModel agent) {
RealmAdminRelationship relationship = new RealmAdminRelationship();
relationship.setAdmin(((UserAdapter)agent).getUser());
relationship.setRealm(realm.getName());
getRelationshipManager().add(relationship);
}
@Override
public List<RoleModel> getDefaultRoles() {
List<RoleModel> defaultRoleModels = new ArrayList<RoleModel>();

View file

@ -0,0 +1,28 @@
package org.keycloak.models.picketlink.relationships;
import org.picketlink.idm.model.AbstractAttributedType;
import org.picketlink.idm.model.Attribute;
import org.picketlink.idm.model.Relationship;
import org.picketlink.idm.model.sample.User;
import org.picketlink.idm.query.AttributeParameter;
import org.picketlink.idm.query.RelationshipQueryParameter;
/**
* Picketlink doesn't allow you to query for all partitions, thus this stupid relationship...
*
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class RealmListingRelationship extends AbstractAttributedType implements Relationship {
private static final long serialVersionUID = 1L;
public static final AttributeParameter REALM = new AttributeParameter("realm");
public String getRealm() {
return (String)getAttribute("realm").getValue();
}
public void setRealm(String realm) {
setAttribute(new Attribute<String>("realm", realm));
}
}

View file

@ -0,0 +1,59 @@
package org.keycloak.services.managers;
import org.keycloak.models.*;
import org.keycloak.representations.idm.CredentialRepresentation;
import java.util.UUID;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class ApplianceBootstrap {
public void initKeycloakAdminRealm(RealmModel realm) {
}
public void bootstrap(KeycloakSession session) {
RealmManager manager = new RealmManager(session);
RealmModel realm = manager.createRealm(Constants.ADMIN_REALM, Constants.ADMIN_REALM);
realm.setName(Constants.ADMIN_REALM);
realm.setEnabled(true);
realm.addRequiredCredential(CredentialRepresentation.PASSWORD);
realm.addRequiredOAuthClientCredential(CredentialRepresentation.PASSWORD);
realm.addRequiredResourceCredential(CredentialRepresentation.PASSWORD);
realm.setTokenLifespan(300);
realm.setAccessCodeLifespan(60);
realm.setSslNotRequired(true);
realm.setCookieLoginAllowed(true);
realm.setRegistrationAllowed(false);
manager.generateRealmKeys(realm);
initKeycloakAdminRealm(realm);
ApplicationModel adminConsole = realm.addApplication(Constants.ADMIN_CONSOLE_APPLICATION);
adminConsole.setEnabled(true);
UserCredentialModel adminConsolePassword = new UserCredentialModel();
adminConsolePassword.setType(UserCredentialModel.PASSWORD);
adminConsolePassword.setValue(UUID.randomUUID().toString()); // just a random password as we'll never access it
realm.updateCredential(adminConsole.getApplicationUser(), adminConsolePassword);
RoleModel applicationRole = realm.getRole(Constants.APPLICATION_ROLE);
realm.grantRole(adminConsole.getApplicationUser(), applicationRole);
RoleModel adminRole = adminConsole.addRole(Constants.ADMIN_CONSOLE_ADMIN_ROLE);
UserModel adminUser = realm.addUser("admin");
adminUser.setEnabled(true);
UserCredentialModel password = new UserCredentialModel();
password.setType(UserCredentialModel.PASSWORD);
password.setValue("admin");
realm.updateCredential(adminUser, password);
//adminUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
adminConsole.grantRole(adminUser, adminRole);
}
}

View file

@ -70,7 +70,7 @@ public class ApplicationManager {
}
public ApplicationModel createApplication(RealmModel realm, ApplicationRepresentation resourceRep) {
RoleModel loginRole = realm.getRole(RealmManager.APPLICATION_ROLE);
RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
return createApplication(realm, loginRole, resourceRep);
}

View file

@ -7,6 +7,7 @@ import org.jboss.resteasy.spi.HttpResponse;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.models.Constants;
import org.keycloak.representations.SkeletonKeyToken;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.models.RealmModel;
@ -33,18 +34,6 @@ public class AuthenticationManager {
public static final String FORM_USERNAME = "username";
public static final String KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY";
/**
* Grabs token from headers, authenticates, authorizes
*
* @param realm
* @param headers
* @return
*/
public boolean isRealmAdmin(RealmModel realm, HttpHeaders headers) {
UserModel user = authenticateBearerToken(realm, headers);
return realm.isRealmAdmin(user);
}
public SkeletonKeyToken createIdentityToken(RealmModel realm, String username) {
SkeletonKeyToken token = new SkeletonKeyToken();
token.id(RealmManager.generateId());
@ -211,9 +200,9 @@ public class AuthenticationManager {
Set<String> types = new HashSet<String>();
List<RequiredCredentialModel> requiredCredentials = null;
if (realm.hasRole(user, RealmManager.APPLICATION_ROLE)) {
if (realm.hasRole(user, Constants.APPLICATION_ROLE)) {
requiredCredentials = realm.getRequiredApplicationCredentials();
} else if (realm.hasRole(user, RealmManager.IDENTITY_REQUESTER_ROLE)) {
} else if (realm.hasRole(user, Constants.IDENTITY_REQUESTER_ROLE)) {
requiredCredentials = realm.getRequiredOAuthClientCredentials();
} else {
requiredCredentials = realm.getRequiredCredentials();

View file

@ -1,5 +1,6 @@
package org.keycloak.services.managers;
import org.keycloak.models.Constants;
import org.keycloak.models.OAuthClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
@ -18,7 +19,7 @@ public class OAuthClientManager {
public OAuthClientModel create(String name) {
OAuthClientModel model = realm.addOAuthClient(name);
RoleModel role = realm.getRole(RealmManager.IDENTITY_REQUESTER_ROLE);
RoleModel role = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
realm.grantRole(model.getOAuthAgent(), role);
return model;
}

View file

@ -20,9 +20,6 @@ import java.util.concurrent.atomic.AtomicLong;
public class RealmManager {
protected static final Logger logger = Logger.getLogger(RealmManager.class);
private static AtomicLong counter = new AtomicLong(1);
public static final String APPLICATION_ROLE = "KEYCLOAK_APPLICATION";
public static final String IDENTITY_REQUESTER_ROLE = "KEYCLOAK_IDENTITY_REQUESTER";
public static final String WILDCARD_ROLE = "*";
public static String generateId() {
return counter.getAndIncrement() + "-" + System.currentTimeMillis();
@ -34,8 +31,8 @@ public class RealmManager {
this.identitySession = identitySession;
}
public RealmModel defaultRealm() {
return getRealm(RealmModel.DEFAULT_REALM);
public RealmModel getKeycloakAdminstrationRealm() {
return getRealm(Constants.ADMIN_REALM);
}
public RealmModel getRealm(String id) {
@ -49,9 +46,9 @@ public class RealmManager {
public RealmModel createRealm(String id, String name) {
RealmModel realm = identitySession.createRealm(id, name);
realm.setName(name);
realm.addRole(WILDCARD_ROLE);
realm.addRole(APPLICATION_ROLE);
realm.addRole(IDENTITY_REQUESTER_ROLE);
realm.addRole(Constants.WILDCARD_ROLE);
realm.addRole(Constants.APPLICATION_ROLE);
realm.addRole(Constants.IDENTITY_REQUESTER_ROLE);
return realm;
}
@ -99,7 +96,6 @@ public class RealmManager {
//verifyRealmRepresentation(rep);
RealmModel realm = createRealm(rep.getRealm());
importRealm(rep, realm);
realm.addRealmAdmin(realmCreator);
return realm;
}
@ -329,7 +325,7 @@ public class RealmManager {
protected void createApplications(RealmRepresentation rep, RealmModel realm) {
RoleModel loginRole = realm.getRole(RealmManager.APPLICATION_ROLE);
RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
ApplicationManager manager = new ApplicationManager(this);
for (ApplicationRepresentation resourceRep : rep.getApplications()) {
manager.createApplication(realm, loginRole, resourceRep);

View file

@ -3,12 +3,9 @@ package org.keycloak.services.managers;
import org.jboss.resteasy.jose.Base64Url;
import org.jboss.resteasy.jose.jws.JWSBuilder;
import org.jboss.resteasy.jwt.JsonSerialization;
import org.keycloak.models.*;
import org.keycloak.representations.SkeletonKeyScope;
import org.keycloak.representations.SkeletonKeyToken;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import javax.ws.rs.core.MultivaluedMap;
import java.io.IOException;
@ -55,7 +52,7 @@ public class TokenManager {
Set<String> scopeRequest = null;
if (scopeMap != null) {
scopeRequest.addAll(scopeMap.get("realm"));
if (scopeRequest.contains(RealmManager.WILDCARD_ROLE)) scopeRequest = null;
if (scopeRequest.contains(Constants.WILDCARD_ROLE)) scopeRequest = null;
}
for (String role : realmMapping) {
if (
@ -74,7 +71,7 @@ public class TokenManager {
Set<String> scopeRequest = null;
if (scopeMap != null) {
scopeRequest.addAll(scopeMap.get(resource.getName()));
if (scopeRequest.contains(RealmManager.WILDCARD_ROLE)) scopeRequest = null;
if (scopeRequest.contains(Constants.WILDCARD_ROLE)) scopeRequest = null;
}
for (String role : mapping) {
if (

View file

@ -6,24 +6,17 @@ import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.HttpResponse;
import org.jboss.resteasy.spi.NotImplementedYetException;
import org.keycloak.models.*;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationManager.AuthenticationStatus;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.admin.RealmsAdminResource;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.validation.Validation;
import javax.ws.rs.*;
import javax.ws.rs.container.ResourceContext;
import javax.ws.rs.core.*;
import java.net.URI;
import java.util.LinkedList;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
@ -87,7 +80,7 @@ public class SaasService {
public Response keepalive(final @Context HttpHeaders headers) {
logger.debug("keepalive");
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.defaultRealm();
RealmModel realm = getAdminstrationRealm(realmManager);
if (realm == null)
throw new NotFoundException();
UserModel user = authManager.authenticateSaasIdentityCookie(realm, uriInfo, headers);
@ -104,14 +97,15 @@ public class SaasService {
@NoCache
public Response whoAmI(final @Context HttpHeaders headers) {
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.defaultRealm();
RealmModel realm = getAdminstrationRealm(realmManager);
if (realm == null)
throw new NotFoundException();
UserModel user = authManager.authenticateSaasIdentityCookie(realm, uriInfo, headers);
if (user == null) {
return Response.status(401).build();
}
return Response.ok(new WhoAmI(user.getLoginName(), user.getFirstName() + " " + user.getLastName())).build();
// keycloak is bootstrapped with an admin user with no first/last name, so use login name as display name
return Response.ok(new WhoAmI(user.getLoginName(), user.getLoginName())).build();
}
@Path("isLoggedIn.js")
@ -121,7 +115,7 @@ public class SaasService {
public String isLoggedIn(final @Context HttpHeaders headers) {
logger.debug("WHOAMI Javascript start.");
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.defaultRealm();
RealmModel realm = getAdminstrationRealm(realmManager);
if (realm == null) {
return "var keycloakCookieLoggedIn = false;";
@ -145,16 +139,20 @@ public class SaasService {
@Path("admin/realms")
public RealmsAdminResource getRealmsAdmin(@Context final HttpHeaders headers) {
RealmManager realmManager = new RealmManager(session);
RealmModel saasRealm = realmManager.defaultRealm();
RealmModel saasRealm = getAdminstrationRealm(realmManager);
if (saasRealm == null)
throw new NotFoundException();
UserModel admin = authManager.authenticateSaasIdentity(saasRealm, uriInfo, headers);
if (admin == null) {
throw new NotAuthorizedException("Bearer");
}
RoleModel creatorRole = saasRealm.getRole(SaasService.REALM_CREATOR_ROLE);
if (!saasRealm.hasRole(admin, creatorRole)) {
logger.warn("not a Realm creator");
ApplicationModel adminConsole = saasRealm.getApplicationNameMap().get(Constants.ADMIN_CONSOLE_APPLICATION);
if (adminConsole == null) {
throw new NotFoundException();
}
RoleModel adminRole = adminConsole.getRole(Constants.ADMIN_CONSOLE_ADMIN_ROLE);
if (!adminConsole.hasRole(admin, adminRole)) {
logger.warn("not a Realm admin");
throw new NotAuthorizedException("Bearer");
}
RealmsAdminResource adminResource = new RealmsAdminResource(admin);
@ -167,29 +165,18 @@ public class SaasService {
@NoCache
public Response loginPage() {
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.defaultRealm();
RealmModel realm = getAdminstrationRealm(realmManager);
authManager.expireSaasIdentityCookie(uriInfo);
return Flows.forms(realm, request, uriInfo).forwardToLogin();
}
@Path("registrations")
@GET
@NoCache
public Response registerPage() {
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.defaultRealm();
authManager.expireSaasIdentityCookie(uriInfo);
return Flows.forms(realm, request, uriInfo).forwardToRegistration();
}
@Path("logout")
@GET
@NoCache
public Response logout() {
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.defaultRealm();
RealmModel realm = getAdminstrationRealm(realmManager);
authManager.expireSaasIdentityCookie(uriInfo);
return Flows.forms(realm, request, uriInfo).forwardToLogin();
@ -209,7 +196,7 @@ public class SaasService {
public Response processLogin(final MultivaluedMap<String, String> formData) {
logger.info("processLogin start");
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.defaultRealm();
RealmModel realm = getAdminstrationRealm(realmManager);
if (realm == null)
throw new NotFoundException();
@ -236,91 +223,7 @@ public class SaasService {
}
}
@Path("registrations")
@POST
@Consumes(MediaType.APPLICATION_JSON)
public Response register(final UserRepresentation newUser) {
RealmManager realmManager = new RealmManager(session);
RealmModel defaultRealm = realmManager.defaultRealm();
UserModel user = registerMe(defaultRealm, newUser);
if (user == null) {
return Response.status(400).type("text/plain").entity("Already exists").build();
}
URI uri = uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(user.getLoginName()).build();
return Response.created(uri).build();
protected RealmModel getAdminstrationRealm(RealmManager realmManager) {
return realmManager.getKeycloakAdminstrationRealm();
}
@Path("registrations")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response processRegister(final MultivaluedMap<String, String> formData) {
RealmManager realmManager = new RealmManager(session);
RealmModel defaultRealm = realmManager.defaultRealm();
List<String> requiredCredentialTypes = new LinkedList<String>();
for (RequiredCredentialModel m : defaultRealm.getRequiredCredentials()) {
requiredCredentialTypes.add(m.getType());
}
String error = Validation.validateRegistrationForm(formData, requiredCredentialTypes);
if (error != null) {
return Flows.forms(defaultRealm, request, uriInfo).setError(error).setFormData(formData)
.forwardToRegistration();
}
UserRepresentation newUser = new UserRepresentation();
newUser.setUsername(formData.getFirst("username"));
newUser.setEmail(formData.getFirst("email"));
newUser.setFirstName(formData.getFirst("firstName"));
newUser.setLastName(formData.getFirst("lastName"));
if (requiredCredentialTypes.contains(CredentialRepresentation.PASSWORD)) {
newUser.credential(CredentialRepresentation.PASSWORD, formData.getFirst("password"));
}
if (requiredCredentialTypes.contains(CredentialRepresentation.TOTP)) {
newUser.credential(CredentialRepresentation.TOTP, formData.getFirst("password"));
}
UserModel user = registerMe(defaultRealm, newUser);
if (user == null) {
return Flows.forms(defaultRealm, request, uriInfo).setError(Messages.USERNAME_EXISTS)
.setFormData(formData).forwardToRegistration();
}
NewCookie cookie = authManager.createSaasIdentityCookie(defaultRealm, user, uriInfo);
return Response.status(302).location(contextRoot(uriInfo).path(adminPath).build()).cookie(cookie).build();
}
protected UserModel registerMe(RealmModel defaultRealm, UserRepresentation newUser) {
if (!defaultRealm.isEnabled()) {
throw new ForbiddenException();
}
if (!defaultRealm.isRegistrationAllowed()) {
throw new ForbiddenException();
}
UserModel user = defaultRealm.getUser(newUser.getUsername());
if (user != null) {
return null;
}
user = defaultRealm.addUser(newUser.getUsername());
user.setFirstName(newUser.getFirstName());
user.setLastName(newUser.getLastName());
user.setEmail(newUser.getEmail());
for (CredentialRepresentation cred : newUser.getCredentials()) {
UserCredentialModel credModel = new UserCredentialModel();
credModel.setType(cred.getType());
credModel.setValue(cred.getValue());
defaultRealm.updateCredential(user, credModel);
}
for (RoleModel role : defaultRealm.getDefaultRoles()) {
defaultRealm.grantRole(user, role);
}
return user;
}
}

View file

@ -15,7 +15,6 @@ import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.services.managers.AccessCodeEntry;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationManager.AuthenticationStatus;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.messages.Messages;
@ -176,6 +175,7 @@ public class TokenService {
public Response processLogin(@QueryParam("client_id") final String clientId, @QueryParam("scope") final String scopeParam,
@QueryParam("state") final String state, @QueryParam("redirect_uri") final String redirect,
final MultivaluedMap<String, String> formData) {
logger.info("TokenService.processLogin");
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
if (!realm.isEnabled()) {
@ -456,8 +456,8 @@ public class TokenService {
return null;
}
RoleModel resourceRole = realm.getRole(RealmManager.APPLICATION_ROLE);
RoleModel identityRequestRole = realm.getRole(RealmManager.IDENTITY_REQUESTER_ROLE);
RoleModel resourceRole = realm.getRole(Constants.APPLICATION_ROLE);
RoleModel identityRequestRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
boolean isResource = realm.hasRole(client, resourceRole);
if (!isResource && !realm.hasRole(client, identityRequestRole)) {
oauth.forwardToSecurityFailure("Login requester not allowed to request login.");

View file

@ -78,9 +78,6 @@ public class RealmsAdminResource {
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.getRealm(id);
if (realm == null) throw new NotFoundException();
if (!realm.isRealmAdmin(admin)) {
throw new ForbiddenException();
}
RealmAdminResource adminResource = new RealmAdminResource(admin, realm);
resourceContext.initResource(adminResource);

View file

@ -26,9 +26,9 @@ import java.util.Set;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.models.Constants;
import org.keycloak.services.managers.AccessCodeEntry;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
@ -81,8 +81,8 @@ public class OAuthFlows {
}
public Response processAccessCode(String scopeParam, String state, String redirect, UserModel client, UserModel user) {
RoleModel resourceRole = realm.getRole(RealmManager.APPLICATION_ROLE);
RoleModel identityRequestRole = realm.getRole(RealmManager.IDENTITY_REQUESTER_ROLE);
RoleModel resourceRole = realm.getRole(Constants.APPLICATION_ROLE);
RoleModel identityRequestRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
boolean isResource = realm.hasRole(client, resourceRole);
if (!isResource && !realm.hasRole(client, identityRequestRole)) {
return forwardToSecurityFailure("Login requester not allowed to request login.");

View file

@ -1,17 +1,15 @@
package org.keycloak.test;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;
import org.keycloak.models.*;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.managers.OAuthClientManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.models.UserModel.RequiredAction;
import org.keycloak.services.resources.KeycloakApplication;
import org.keycloak.test.common.AbstractKeycloakTest;
import org.keycloak.test.common.SessionFactoryTestContext;
@ -35,7 +33,7 @@ public class AdapterTest extends AbstractKeycloakTest {
@Test
public void installTest() throws Exception {
new InstallationManager().install(getRealmManager());
new ApplianceBootstrap().bootstrap(identitySession);
}
@ -78,6 +76,48 @@ public class AdapterTest extends AbstractKeycloakTest {
Assert.assertEquals("foo", realmModel.getDefaultRoles().get(0).getName());
}
@Test
public void testRealmListing() throws Exception {
realmModel = getRealmManager().createRealm("JUGGLER");
realmModel.setAccessCodeLifespan(100);
realmModel.setAccessCodeLifespanUserAction(600);
realmModel.setCookieLoginAllowed(true);
realmModel.setEnabled(true);
realmModel.setName("JUGGLER");
realmModel.setPrivateKeyPem("0234234");
realmModel.setPublicKeyPem("0234234");
realmModel.setTokenLifespan(1000);
realmModel.setAutomaticRegistrationAfterSocialLogin(true);
realmModel.addDefaultRole("foo");
System.out.println(realmModel.getId());
realmModel = getRealmManager().getRealm(realmModel.getId());
Assert.assertNotNull(realmModel);
Assert.assertEquals(realmModel.getAccessCodeLifespan(), 100);
Assert.assertEquals(600, realmModel.getAccessCodeLifespanUserAction());
Assert.assertEquals(realmModel.getTokenLifespan(), 1000);
Assert.assertEquals(realmModel.isEnabled(), true);
Assert.assertEquals(realmModel.getName(), "JUGGLER");
Assert.assertEquals(realmModel.getPrivateKeyPem(), "0234234");
Assert.assertEquals(realmModel.getPublicKeyPem(), "0234234");
Assert.assertEquals(realmModel.isAutomaticRegistrationAfterSocialLogin(), true);
Assert.assertEquals(1, realmModel.getDefaultRoles().size());
Assert.assertEquals("foo", realmModel.getDefaultRoles().get(0).getName());
String id = realmModel.getId();
System.out.println("id: " + id);
identitySession.getTransaction().commit();
identitySession.close();
identitySession = factory.createSession();
identitySession.getTransaction().begin();
realmManager = new RealmManager(identitySession);
List<RealmModel> realms = identitySession.getRealms(null);
System.out.println("num realms: " + realms.size());
Assert.assertEquals(realms.size(), 1);
}
@Test
public void test2RequiredCredential() throws Exception {
test1CreateRealm();
@ -126,7 +166,7 @@ public class AdapterTest extends AbstractKeycloakTest {
oauth.setBaseUrl("/foo/bar");
oauth = realmModel.getOAuthClient("oauth-client");
Assert.assertEquals("/foo/bar", oauth.getBaseUrl());
Assert.assertTrue(realmModel.hasRole(oauth.getOAuthAgent(), RealmManager.IDENTITY_REQUESTER_ROLE));
Assert.assertTrue(realmModel.hasRole(oauth.getOAuthAgent(), Constants.IDENTITY_REQUESTER_ROLE));
}

View file

@ -39,26 +39,9 @@ public class ImportTest extends AbstractKeycloakTest {
@Test
public void install() throws Exception {
RealmManager manager = getRealmManager();
RealmModel defaultRealm = manager.createRealm(RealmModel.DEFAULT_REALM, RealmModel.DEFAULT_REALM);
defaultRealm.setName(RealmModel.DEFAULT_REALM);
defaultRealm.setEnabled(true);
defaultRealm.setTokenLifespan(300);
defaultRealm.setAccessCodeLifespan(60);
defaultRealm.setAccessCodeLifespanUserAction(600);
defaultRealm.setSslNotRequired(false);
defaultRealm.setCookieLoginAllowed(true);
defaultRealm.setRegistrationAllowed(true);
defaultRealm.setAutomaticRegistrationAfterSocialLogin(false);
manager.generateRealmKeys(defaultRealm);
defaultRealm.addRequiredCredential(CredentialRepresentation.PASSWORD);
RoleModel role = defaultRealm.addRole(SaasService.REALM_CREATOR_ROLE);
UserModel admin = defaultRealm.addUser("admin");
defaultRealm.grantRole(admin, role);
RealmRepresentation rep = AbstractKeycloakServerTest.loadJson("testrealm.json");
RealmModel realm = manager.createRealm("demo", rep.getRealm());
manager.importRealm(rep, realm);
realm.addRealmAdmin(admin);
Assert.assertTrue(realm.isVerifyEmail());
@ -81,8 +64,6 @@ public class ImportTest extends AbstractKeycloakTest {
List<ApplicationModel> resources = realm.getApplications();
Assert.assertEquals(2, resources.size());
List<RealmModel> realms = getIdentitySession().getRealms(admin);
Assert.assertEquals(1, realms.size());
// Test scope relationship
ApplicationModel application = realm.getApplicationNameMap().get("Application");
@ -118,26 +99,9 @@ public class ImportTest extends AbstractKeycloakTest {
@Test
public void install2() throws Exception {
RealmManager manager = getRealmManager();
RealmModel defaultRealm = manager.createRealm(RealmModel.DEFAULT_REALM, RealmModel.DEFAULT_REALM);
defaultRealm.setName(RealmModel.DEFAULT_REALM);
defaultRealm.setEnabled(true);
defaultRealm.setTokenLifespan(300);
defaultRealm.setAccessCodeLifespan(60);
defaultRealm.setAccessCodeLifespanUserAction(600);
defaultRealm.setSslNotRequired(false);
defaultRealm.setCookieLoginAllowed(true);
defaultRealm.setRegistrationAllowed(true);
defaultRealm.setAutomaticRegistrationAfterSocialLogin(false);
manager.generateRealmKeys(defaultRealm);
defaultRealm.addRequiredCredential(CredentialRepresentation.PASSWORD);
RoleModel role = defaultRealm.addRole(SaasService.REALM_CREATOR_ROLE);
UserModel admin = defaultRealm.addUser("admin");
defaultRealm.grantRole(admin, role);
RealmRepresentation rep = AbstractKeycloakServerTest.loadJson("testrealm-demo.json");
RealmModel realm = manager.createRealm("demo", rep.getRealm());
manager.importRealm(rep, realm);
realm.addRealmAdmin(admin);
Assert.assertTrue(realm.isAutomaticRegistrationAfterSocialLogin());
Assert.assertEquals(600, realm.getAccessCodeLifespanUserAction());

View file

@ -1,32 +0,0 @@
package org.keycloak.test;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.models.RealmModel;
import org.keycloak.services.resources.SaasService;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class InstallationManager {
public void install(RealmManager manager) {
RealmModel defaultRealm = manager.createRealm(RealmModel.DEFAULT_REALM, RealmModel.DEFAULT_REALM);
defaultRealm.setName(RealmModel.DEFAULT_REALM);
defaultRealm.setEnabled(true);
defaultRealm.setTokenLifespan(300);
defaultRealm.setAccessCodeLifespan(60);
defaultRealm.setAccessCodeLifespanUserAction(600);
defaultRealm.setSslNotRequired(false);
defaultRealm.setCookieLoginAllowed(true);
defaultRealm.setRegistrationAllowed(true);
manager.generateRealmKeys(defaultRealm);
defaultRealm.addRequiredCredential(CredentialRepresentation.PASSWORD);
defaultRealm.addRole(SaasService.REALM_CREATOR_ROLE);
defaultRealm.addDefaultRole(SaasService.REALM_CREATOR_ROLE);
}
public boolean isInstalled(RealmManager manager) {
return manager.defaultRealm() != null;
}
}

View file

@ -1,74 +0,0 @@
package org.keycloak.test;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import static org.jboss.resteasy.test.TestPortProvider.generateURL;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class RealmCreationTest extends AbstractKeycloakServerTest {
@BeforeClass
public static void before() throws Exception {
KeycloakSession session = application.getFactory().createSession();
session.getTransaction().begin();
RealmManager manager = new RealmManager(session);
new InstallationManager().install(manager);
session.getTransaction().commit();
session.close();
}
@Test
public void testRegisterLoginAndCreate() throws Exception {
UserRepresentation user = new UserRepresentation();
user.setUsername("bburke");
user.credential(CredentialRepresentation.PASSWORD, "geheim");
WebTarget target = client.target(generateURL("/"));
Response response = target.path("saas/registrations").request().post(Entity.json(user));
Assert.assertEquals(201, response.getStatus());
response.close();
AccessTokenResponse tokenResponse = null;
try {
Form form = new Form();
form.param(AuthenticationManager.FORM_USERNAME, "bburke");
form.param(CredentialRepresentation.PASSWORD, "badpassword");
tokenResponse = target.path("realms").path(RealmModel.DEFAULT_REALM).path("tokens/grants/identity-token").request().post(Entity.form(form), AccessTokenResponse.class);
Assert.fail();
} catch (NotAuthorizedException e) {
}
Form form = new Form();
form.param(AuthenticationManager.FORM_USERNAME, "bburke");
form.param(CredentialRepresentation.PASSWORD, "geheim");
tokenResponse = target.path("realms").path(RealmModel.DEFAULT_REALM).path("tokens/grants/identity-token").request().post(Entity.form(form), AccessTokenResponse.class);
Assert.assertNotNull(tokenResponse);
System.out.println(tokenResponse.getToken());
//
RealmRepresentation realm = loadJson("testrealm.json");
response = target.path("saas/admin/realms").request().header(HttpHeaders.AUTHORIZATION, "Bearer " + tokenResponse.getToken()).post(Entity.json(realm));
Assert.assertEquals(201, response.getStatus());
response.close();
}
}

View file

@ -24,9 +24,9 @@ public abstract class AbstractKeycloakTest {
protected static final SessionFactoryTestContext[] TEST_CONTEXTS;
private final SessionFactoryTestContext testContext;
private KeycloakSessionFactory factory;
private KeycloakSession identitySession;
private RealmManager realmManager;
protected KeycloakSessionFactory factory;
protected KeycloakSession identitySession;
protected RealmManager realmManager;
// STATIC METHODS

View file

@ -37,17 +37,12 @@ import org.jboss.resteasy.jwt.JsonSerialization;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.plugins.server.undertow.UndertowJaxrsServer;
import org.jboss.resteasy.spi.ResteasyDeployment;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.models.*;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.services.filters.KeycloakSessionServletFilter;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.resources.KeycloakApplication;
import org.keycloak.services.resources.SaasService;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -221,24 +216,11 @@ public class KeycloakServer {
try {
RealmManager manager = new RealmManager(session);
if (manager.getRealm(RealmModel.DEFAULT_REALM) != null) {
if (manager.getRealm(Constants.ADMIN_REALM) != null) {
return;
}
RealmModel defaultRealm = manager.createRealm(RealmModel.DEFAULT_REALM, RealmModel.DEFAULT_REALM);
defaultRealm.setName(RealmModel.DEFAULT_REALM);
defaultRealm.setEnabled(true);
defaultRealm.setTokenLifespan(300);
defaultRealm.setAccessCodeLifespan(60);
defaultRealm.setAccessCodeLifespanUserAction(600);
defaultRealm.setSslNotRequired(true);
defaultRealm.setCookieLoginAllowed(true);
defaultRealm.setRegistrationAllowed(true);
manager.generateRealmKeys(defaultRealm);
defaultRealm.addRequiredCredential(CredentialRepresentation.PASSWORD);
defaultRealm.addRole(SaasService.REALM_CREATOR_ROLE);
defaultRealm.addDefaultRole(SaasService.REALM_CREATOR_ROLE);
new ApplianceBootstrap().bootstrap(session);
session.getTransaction().commit();
} finally {
session.close();

View file

@ -32,6 +32,7 @@ import javax.servlet.Servlet;
import org.jboss.resteasy.jwt.JsonSerialization;
import org.junit.rules.ExternalResource;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.idm.RealmRepresentation;
@ -104,10 +105,10 @@ public class KeycloakRule extends ExternalResource {
try {
RealmManager manager = new RealmManager(session);
RealmModel defaultRealm = manager.getRealm(RealmModel.DEFAULT_REALM);
RealmModel adminstrationRealm = manager.getRealm(Constants.ADMIN_REALM);
RealmModel appRealm = manager.getRealm("test");
configurer.config(manager, defaultRealm, appRealm);
configurer.config(manager, null, appRealm);
session.getTransaction().commit();
} finally {
@ -117,7 +118,7 @@ public class KeycloakRule extends ExternalResource {
public interface KeycloakSetup {
void config(RealmManager manager, RealmModel defaultRealm, RealmModel appRealm);
void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm);
}